phoque
unread,Feb 18, 2008, 12:30:06 PM2/18/08Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Antville developer's mailing-list
Hi Tobi,
da bei uns dieses Wochenende das Geschreie groß war, als man sah, dass
man sämtlichen Formular/Javascript/CSS-Unsinn in den Kommentaren und
Artikel hinterlassen kann, habe ich mich heute daran gemacht, die HTML-
Tag-Whitelist aus twoday rück zu portieren und in unser Antville zu
integrieren. Vielleicht interessierts dich.
Dabei waren folgende Änderungen nötig:
# allowedTags: List of tags/attributes that are allowed for a story,
resp.
# for a comment. All other tags/attributes are being removed. This
# should guarantee that no users can insert malicious (script) code,
esp.
# the XMLHttpRequest-Object. By adding '%[.]' to this list, it is
possible
# to allow macros to be inserted.
allowedTagsForStory = a[name|href|target|title|hreflang], strong, b,
em, i, strike, p[align], ol, ul, li, br, nobr, wbr, img[src|border|alt|
title|width|height|align], blockquote[cite], div[align], pre, code,
center, cite, table[border|cellpadding|cellspacing|width|height|
bgcolor], th[width|height|align|valign|colspan|rowspan], tr[width|
height|align|valign|colspan|rowspan], td[width|height|align|valign|
colspan|rowspan], q[cite], samp, kbd, var, dfn, acronym, abbr, ins,
del, hr[size|width|align], font[size|color|face], basefont[size|color|
face], big, small, tt, sub, sup, s, blink, %[.]
allowedTagsForComment = a[name|href|target|title|hreflang], strong, b,
em, i, strike, p[align], ol, ul, li, br, nobr, wbr, img[src|border|alt|
title|width|height|align], blockquote[cite], div[align], pre, code,
center, cite, q[cite], samp, kbd, var, dfn, acronym, abbr, ins, del,
font[size|color|face], basefont[size|color|face], big, small, tt, sub,
sup, s, blink
in /usr/local/helma/apps/antville/code/app.properties:52
// sanitize user input (if this is a non-trusted site)
if (!this.site.trusted) {
for (var i in content.value) {
content.value[i] = sanitize(content.value[i],
app.properties.allowedTagsForStory.split(","));
}
}
in /usr/local/helma/apps/antville/code/Story/objectFunctions.js:29
// sanitize user input
for (var i in content.value) {
content.value[i] = sanitize(content.value[i],
app.properties.allowedTagsForComment.split(","));
}
in /usr/local/helma/apps/antville/code/Story/objectFunctions.js:143
// sanitize user input (if this is a non-trusted site)
if (!this._parent.trusted) {
for (var i in content.value) {
content.value[i] = sanitize(content.value[i],
app.properties.allowedTagsForStory.split(","));
}
}
in /usr/local/helma/apps/antville/code/StoryMgr/objectFunctions.js:20
// sanitize user input
for (var i in content.value) {
content.value[i] = sanitize(content.value[i],
app.properties.allowedTagsForComment.split(","));
}
in /usr/local/helma/apps/antville/code/Comment/objectFunctions.js:27
Sowie zwei neue Dateien:
* /usr/local/helma/apps/antville/code/Global/sanitize.js
* /usr/local/helma/lib/ext/htmlparser.jar
Aus dem twoday-Sourcecode.
Gruß, Nils