Index: openacs-4/packages/general-comments/www/comment-add-2.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/general-comments/www/comment-add-2.tcl,v diff -u -r1.8.2.5 -r1.8.2.6 --- openacs-4/packages/general-comments/www/comment-add-2.tcl 3 Oct 2022 12:20:37 -0000 1.8.2.5 +++ openacs-4/packages/general-comments/www/comment-add-2.tcl 23 Mar 2023 15:41:37 -0000 1.8.2.6 @@ -27,6 +27,23 @@ object_name:onevalue category:onevalue return_url:onevalue +} -validate { + no_js_in_content { + # + # We do not allow any javascript in the content, including + # event handlers. + # + if {![ad_dom_sanitize_html \ + -allowed_tags * \ + -allowed_attributes * \ + -allowed_protocols * \ + -html $content \ + -no_js \ + -validate]} { + ad_complain [_ acs-tcl.lt_name_contains_invalid \ + [list name [_ general-comments.Comment]]] + } + } } # check to see if the user can create comments on this object Index: openacs-4/packages/general-comments/www/comment-edit-2.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/general-comments/www/comment-edit-2.tcl,v diff -u -r1.8.2.3 -r1.8.2.4 --- openacs-4/packages/general-comments/www/comment-edit-2.tcl 3 Oct 2022 12:20:37 -0000 1.8.2.3 +++ openacs-4/packages/general-comments/www/comment-edit-2.tcl 23 Mar 2023 15:41:37 -0000 1.8.2.4 @@ -27,6 +27,23 @@ title:onevalue content:onevalue target:onevalue +} -validate { + no_js_in_content { + # + # We do not allow any javascript in the content, including + # event handlers. + # + if {![ad_dom_sanitize_html \ + -allowed_tags * \ + -allowed_attributes * \ + -allowed_protocols * \ + -html $content \ + -no_js \ + -validate]} { + ad_complain [_ acs-tcl.lt_name_contains_invalid \ + [list name [_ general-comments.Comment]]] + } + } }