• last updated 18 hours ago
Constraints: committers
Constraints: files
Constraints: dates
Untangle if logics

Reject URLs displaying multiple protocols

Strenghten validation against smarter attempts to disguise the javascript: protocol

Manually replace the ":" entity to prevent attempts at disguising "javascript:" links

When using ad_dom_sanitize_html to validate markup, treat failure to parse as a normal validation failure, rather than an error

reduce verbosity

Use a better regexp to reimplement ad_looks_like_html_p, use the improved api to port downstream feature: an ad_form datatype validator that won't allow to insert markup

Many thanks to Günter Ernst

  1. … 1 more file in changeset.
Deprecate trivial wrappers for ad_html_text_convert

  1. … 2 more files in changeset.
improve robustness

  1. … 1 more file in changeset.
make parsing more robust

fix typo

reduce verbosity

  1. … 2 more files in changeset.
Small improvements:

- use "string is space" instead of trimming the string and checking if empty, at least 2x faster on development, wherever we don't need the trimmed value

- modernize leftover foreach trick with lassign

  1. … 6 more files in changeset.
if truncate_len is provided we have to call util_close_html_tags for truncating the string

Rename proc according to convention enforced in acs-tcl: naming__proc_naming

comment tags, which are NOT supported by HTML5, allow "abbr" in enhanced text

Reduce verbosity

Fix typo

implemented ad_html_security_check based on ns_parsehtml

Use "ns_parsehtml" for speed and correctness when available

The new NaviServer built-in command "ns_parsehtml" is used on

several occasions in the code when available, namely in

- util_close_html_tags

- escaping disallowed HTML tags in ad_text_to_html

- util_close_html_tags

The command "util_close_html_tags" has a long history of troubles,

since it was implemented originally based on regular expressions. It

was reported in Jan 2009, that the function took on certain forums

entries 6 to 9 hours (e.g. /forums/message-view?message_id=357753) to

finish. Therefore, at this time a quick version based on tdom was

introduced, which reduced at that time the performance to 7.3

seconds. However, the tdom-based version tend to fail on invalid HTML,

so it could cover only a few cases. The new "ns_parsehtml" is more

robust and works very stable on openacs.org with the know problem

cases. Furthermore, this version is also significantly faster than the

tdom version.

  1. … 1 more file in changeset.
Deprecate ad_parameter_all_values_as_list: it does not provide much value and was also often use improperly

  1. … 4 more files in changeset.
Fixed bug in util_convert_line_breaks_to_html

The code deleted spaces around certain tags, while - according to the

documentation, only line breaks should be removed from there.

Extended regression test.

  1. … 1 more file in changeset.
Handle upcoming tDOM 0.9.3

This might need some further rethinking

added ADP:ICON to the list of accepted tags (for new instances)

  1. … 1 more file in changeset.
slightly better way to handle testing in vanilla instances

Make ad_html_security_check configurable

ad_html_security_check has now three optional attributes

to make it configurable for different situations




If these attributes are not specified, the behavior is exactly like

before. This change makes it also easier to regression test this

function, since the behavior does not necessarily depend on a site's

parameter settings.

The function was also modernized, new regression tests were added.

  1. … 1 more file in changeset.
use icanuse machinery for "ns_reflow_text -offset"

  1. … 1 more file in changeset.
Unwrap fake oneliners

Fix typo

make ad_dom_sanitize_html more robust against invalid input