Index: openacs-4/packages/acs-tcl/tcl/00-canisue-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/Attic/00-canisue-procs.tcl,v
diff -u -N -r1.1.2.2 -r1.1.2.3
--- openacs-4/packages/acs-tcl/tcl/00-canisue-procs.tcl 14 Jun 2019 10:44:27 -0000 1.1.2.2
+++ openacs-4/packages/acs-tcl/tcl/00-canisue-procs.tcl 3 Jul 2019 18:12:25 -0000 1.1.2.3
@@ -73,6 +73,7 @@
::acs::register_icanuse "ns_conn partialtimes" [acs::icanuse "ns_server ummap"]
::acs::register_icanuse "ns_asynclogfile" {[info commands ::ns_asynclogfile] ne ""}
+::acs::register_icanuse "ns_writer" {[info commands ::ns_writer] ne ""}
# Local variables:
# mode: tcl
Index: openacs-4/packages/acs-tcl/tcl/site-nodes-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/site-nodes-procs.tcl,v
diff -u -N -r1.141.2.4 -r1.141.2.5
--- openacs-4/packages/acs-tcl/tcl/site-nodes-procs.tcl 29 Mar 2019 14:42:06 -0000 1.141.2.4
+++ openacs-4/packages/acs-tcl/tcl/site-nodes-procs.tcl 3 Jul 2019 18:12:25 -0000 1.141.2.5
@@ -612,6 +612,10 @@
@param url URL path starting with a slash.
@author Peter Marklund
} {
+
+ ns_log notice "OLD nsv-based site_node::exists_p <$url>"
+
+
set url_no_trailing [string trimright $url "/"]
return [nsv_exists site_nodes "$url_no_trailing/"]
}
@@ -1779,7 +1783,9 @@
# lookup and check whether the returned node_id has the same
# URL as the provided one.
#
+ ns_log notice "site_node::exists_p <$url>"
set node_id [::xo::site_node get_node_id -url $url_no_trailing]
+ ns_log notice "site_node::exists_p <[list ::xo::site_node get_node_id -url $url_no_trailing]> -> $node_id"
return [expr {[::xo::site_node get_url -node_id $node_id] eq "$url_no_trailing/"}]
}
Index: openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl,v
diff -u -N -r1.109.2.4 -r1.109.2.5
--- openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl 31 Mar 2019 11:17:59 -0000 1.109.2.4
+++ openacs-4/packages/acs-tcl/tcl/text-html-procs.tcl 3 Jul 2019 18:12:25 -0000 1.109.2.5
@@ -802,9 +802,10 @@
ad_proc ad_html_security_check { html } {
- Returns a human-readable explanation if the user has used any HTML
- tag other than the ones marked allowed in antispam section of ad.ini.
- Otherwise returns an empty string.
+ Returns a human-readable explanation if the user has used any
+ HTML tag other than the ones marked allowed in antispam
+ section of the kernel parameters. Otherwise returns an empty
+ string.
@return a human-readable, plaintext explanation of what's wrong with the user's input.
@@ -878,7 +879,8 @@
}
if { [string tolower $attr_name] ne "style" } {
- if { [regexp {^\s*([^\s:]+):\/\/} $attr_value match protocol] } {
+ if { [regexp {^\s*(([^\s:]+):\/\/|(data|javascript))} $attr_value match . p1 p2] } {
+ set protocol [expr {$p1 ne "" ? $p1 : $p2}]
if { ![info exists allowed_protocol([string tolower $protocol])]
&& ![info exists allowed_protocol(*)] } {
return "Your URLs can only use these protocols: [join $allowed_protocols_list ", "].
Index: openacs-4/packages/acs-tcl/tcl/test/html-conversion-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/test/html-conversion-procs.tcl,v
diff -u -N -r1.20.2.1 -r1.20.2.2
--- openacs-4/packages/acs-tcl/tcl/test/html-conversion-procs.tcl 10 Mar 2019 21:34:33 -0000 1.20.2.1
+++ openacs-4/packages/acs-tcl/tcl/test/html-conversion-procs.tcl 3 Jul 2019 18:12:25 -0000 1.20.2.2
@@ -101,11 +101,27 @@
tests is href attribute is allowed of A tags
} {
set html "An Link"
- aa_equals "href is allowed for A tags" [ad_html_security_check $html] ""
+ aa_equals "href with http:// is allowed for 'a' tags" [ad_html_security_check $html] ""
+ set html "An Link"
+ aa_equals "href with https:// is allowed for 'a' tags" [ad_html_security_check $html] ""
}
aa_register_case \
-cats {api smoke} \
+ -procs {ad_html_security_check} \
+ ad_html_security_check_forbidden_protolcols {
+ tests is href attribute is forbidden for certain tags
+} {
+ set html "An Link"
+ aa_true "protocol 'foo' is not allowed" {[ad_html_security_check $html] ne ""}
+ set html "An Link"
+ aa_true "protocol 'javascript' is not allowed" {[ad_html_security_check $html] ne ""}
+ set html "An Link"
+ aa_true "protocol 'data' is not allowed" {[ad_html_security_check $html] ne ""}
+}
+
+aa_register_case \
+ -cats {api smoke} \
-procs {util_close_html_tags} \
util_close_html_tags {
Tests closing HTML tags.