HTML-Tag Whitelist
1 view
Skip to first unread message
phoque
Feb 18, 2008, 12:30:06 PM2/18/08
to Antville developer's mailing-list
Hi Tobi,
da bei uns dieses Wochenende das Geschreie groß war, als man sah, dass
man sämtlichen Formular/Javascript/CSS-Unsinn in den Kommentaren und
Artikel hinterlassen kann, habe ich mich heute daran gemacht, die HTML-
Tag-Whitelist aus twoday rück zu portieren und in unser Antville zu
integrieren. Vielleicht interessierts dich.
Dabei waren folgende Änderungen nötig:
# allowedTags: List of tags/attributes that are allowed for a story,
resp.
# for a comment. All other tags/attributes are being removed. This
# should guarantee that no users can insert malicious (script) code,
esp.
# the XMLHttpRequest-Object. By adding '%[.]' to this list, it is
possible
# to allow macros to be inserted.
allowedTagsForStory = a[name|href|target|title|hreflang], strong, b,
em, i, strike, p[align], ol, ul, li, br, nobr, wbr, img[src|border|alt|
title|width|height|align], blockquote[cite], div[align], pre, code,
center, cite, table[border|cellpadding|cellspacing|width|height|
bgcolor], th[width|height|align|valign|colspan|rowspan], tr[width|
height|align|valign|colspan|rowspan], td[width|height|align|valign|
colspan|rowspan], q[cite], samp, kbd, var, dfn, acronym, abbr, ins,
del, hr[size|width|align], font[size|color|face], basefont[size|color|
face], big, small, tt, sub, sup, s, blink, %[.]
allowedTagsForComment = a[name|href|target|title|hreflang], strong, b,
em, i, strike, p[align], ol, ul, li, br, nobr, wbr, img[src|border|alt|
title|width|height|align], blockquote[cite], div[align], pre, code,
center, cite, q[cite], samp, kbd, var, dfn, acronym, abbr, ins, del,
font[size|color|face], basefont[size|color|face], big, small, tt, sub,
sup, s, blink
in /usr/local/helma/apps/antville/code/app.properties:52
// sanitize user input (if this is a non-trusted site)
if (!this.site.trusted) {
for (var i in content.value) {
content.value[i] = sanitize(content.value[i],
app.properties.allowedTagsForStory.split(","));
}
}
in /usr/local/helma/apps/antville/code/Story/objectFunctions.js:29
// sanitize user input
for (var i in content.value) {
content.value[i] = sanitize(content.value[i],
app.properties.allowedTagsForComment.split(","));
}
in /usr/local/helma/apps/antville/code/Story/objectFunctions.js:143
// sanitize user input (if this is a non-trusted site)
if (!this._parent.trusted) {
for (var i in content.value) {
content.value[i] = sanitize(content.value[i],
app.properties.allowedTagsForStory.split(","));
}
}
in /usr/local/helma/apps/antville/code/StoryMgr/objectFunctions.js:20
// sanitize user input
for (var i in content.value) {
content.value[i] = sanitize(content.value[i],
app.properties.allowedTagsForComment.split(","));
}
in /usr/local/helma/apps/antville/code/Comment/objectFunctions.js:27
Sowie zwei neue Dateien:
* /usr/local/helma/apps/antville/code/Global/sanitize.js
* /usr/local/helma/lib/ext/htmlparser.jar
Aus dem twoday-Sourcecode.
Gruß, Nils
da bei uns dieses Wochenende das Geschreie groß war, als man sah, dass
man sämtlichen Formular/Javascript/CSS-Unsinn in den Kommentaren und
Artikel hinterlassen kann, habe ich mich heute daran gemacht, die HTML-
Tag-Whitelist aus twoday rück zu portieren und in unser Antville zu
integrieren. Vielleicht interessierts dich.
Dabei waren folgende Änderungen nötig:
# allowedTags: List of tags/attributes that are allowed for a story,
resp.
# for a comment. All other tags/attributes are being removed. This
# should guarantee that no users can insert malicious (script) code,
esp.
# the XMLHttpRequest-Object. By adding '%[.]' to this list, it is
possible
# to allow macros to be inserted.
allowedTagsForStory = a[name|href|target|title|hreflang], strong, b,
em, i, strike, p[align], ol, ul, li, br, nobr, wbr, img[src|border|alt|
title|width|height|align], blockquote[cite], div[align], pre, code,
center, cite, table[border|cellpadding|cellspacing|width|height|
bgcolor], th[width|height|align|valign|colspan|rowspan], tr[width|
height|align|valign|colspan|rowspan], td[width|height|align|valign|
colspan|rowspan], q[cite], samp, kbd, var, dfn, acronym, abbr, ins,
del, hr[size|width|align], font[size|color|face], basefont[size|color|
face], big, small, tt, sub, sup, s, blink, %[.]
allowedTagsForComment = a[name|href|target|title|hreflang], strong, b,
em, i, strike, p[align], ol, ul, li, br, nobr, wbr, img[src|border|alt|
title|width|height|align], blockquote[cite], div[align], pre, code,
center, cite, q[cite], samp, kbd, var, dfn, acronym, abbr, ins, del,
font[size|color|face], basefont[size|color|face], big, small, tt, sub,
sup, s, blink
in /usr/local/helma/apps/antville/code/app.properties:52
// sanitize user input (if this is a non-trusted site)
if (!this.site.trusted) {
for (var i in content.value) {
content.value[i] = sanitize(content.value[i],
app.properties.allowedTagsForStory.split(","));
}
}
in /usr/local/helma/apps/antville/code/Story/objectFunctions.js:29
// sanitize user input
for (var i in content.value) {
content.value[i] = sanitize(content.value[i],
app.properties.allowedTagsForComment.split(","));
}
in /usr/local/helma/apps/antville/code/Story/objectFunctions.js:143
// sanitize user input (if this is a non-trusted site)
if (!this._parent.trusted) {
for (var i in content.value) {
content.value[i] = sanitize(content.value[i],
app.properties.allowedTagsForStory.split(","));
}
}
in /usr/local/helma/apps/antville/code/StoryMgr/objectFunctions.js:20
// sanitize user input
for (var i in content.value) {
content.value[i] = sanitize(content.value[i],
app.properties.allowedTagsForComment.split(","));
}
in /usr/local/helma/apps/antville/code/Comment/objectFunctions.js:27
Sowie zwei neue Dateien:
* /usr/local/helma/apps/antville/code/Global/sanitize.js
* /usr/local/helma/lib/ext/htmlparser.jar
Aus dem twoday-Sourcecode.
Gruß, Nils
Reply all
Reply to author
Forward
0 new messages