Index: openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl,v
diff -u -N -r1.109.2.4 -r1.109.2.5
--- openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl 31 Mar 2019 11:17:59 -0000 1.109.2.4
+++ openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl 3 Jul 2019 18:12:25 -0000 1.109.2.5
@@ -802,9 +802,10 @@
ad_proc ad_html_security_check { html } {
- Returns a human-readable explanation if the user has used any HTML
- tag other than the ones marked allowed in antispam section of ad.ini.
- Otherwise returns an empty string.
+ Returns a human-readable explanation if the user has used any
+ HTML tag other than the ones marked allowed in antispam
+ section of the kernel parameters. Otherwise returns an empty
+ string.
@return a human-readable, plaintext explanation of what's wrong with the user's input.
@@ -878,7 +879,8 @@
}
if { [string tolower $attr_name] ne "style" } {
- if { [regexp {^\s*([^\s:]+):\/\/} $attr_value match protocol] } {
+ if { [regexp {^\s*(([^\s:]+):\/\/|(data|javascript))} $attr_value match . p1 p2] } {
+ set protocol [expr {$p1 ne "" ? $p1 : $p2}]
if { ![info exists allowed_protocol([string tolower $protocol])]
&& ![info exists allowed_protocol(*)] } {
return "Your URLs can only use these protocols: [join $allowed_protocols_list ", "].