Changeset b25817 in indico


Ignore:
Timestamp:
05/12/10 15:30:48 (3 years ago)
Author:
Jose Benito <jose.benito.gonzalez@…>
Branches:
master, burotel, hello-world-walkthrough, ipv6, new-webex, v0.97-series, v0.98-series, v0.98.2, v0.98.3, v0.98b1, v0.98b2, v0.99, 051b2622c51afb171a1dedb46a0df4fbb0cbd02e, d9941f8582b36b24821a11ea5ba16fda6a457fb1
Children:
53b65f
Parents:
a217dc
git-author:
Jose Benito <jose.benito.gonzalez@…> (05/12/10 15:09:31)
git-committer:
Jose Benito <jose.benito.gonzalez@…> (05/12/10 15:30:48)
Message:

[FIX] Security problem allowing embed tags

File:
1 edited

Legend:

Unmodified
Added
Removed

  • indico/MaKaC/webinterface/common/tools.py

    rbdd862 rb25817  
    4545notAllowedTags = [ "applet", 
    4646                   "base", "basefont", "button", 
    47                    "form", "frame", "frameset",  
     47                   "form", "frame", "frameset", 
    4848                   "head", 
    4949                   "iframe", "input", "isindex", 
    5050                   "label", "link", 
    51                    "meta",  
     51                   "meta", 
    5252                   "noframe", "noscript", 
    5353                   "object", "optgroup", "option" 
     
    5555                   "script", "select", 
    5656                   "textarea", 
    57                    "title"] 
    58                     
     57                   "title", "embed"] 
     58 
    5959 
    6060# Generate the regular expression objects to found the not allowed tags 
     
    167167        &quot; => " 
    168168        &#34; => ' 
    169          
     169 
    170170        Also replaces '\xc2\xa0' (a kind of space char) by ' ' 
    171171    """ 
     
    174174# Routine by Micah D. Cochran 
    175175# Submitted on 26 Aug 2005 
    176 # This routine is allowed to be put under any license Open Source (GPL, BSD, LGPL, etc.) License  
     176# This routine is allowed to be put under any license Open Source (GPL, BSD, LGPL, etc.) License 
    177177# or any Propriety License. Effectively this routine is in public domain. Please attribute where appropriate. 
    178178 
     
    181181        Inputs: s --> string of text 
    182182        Outputs: text string without the tags 
    183      
     183 
    184184        # doctest unit testing framework 
    185185 
     
    188188        'Keep this Text  KEEP  123' 
    189189    """ 
    190      
     190 
    191191    # convert in_text to a mutable object (e.g. list) 
    192192    s_list = list(in_text) 
    193193    i = 0 
    194      
     194 
    195195    while i < len(s_list): 
    196196        # iterate until a left-angle bracket is found 
     
    203203                Logger.get('strip_ml_tags').debug("Not found '>' (the end of the html tag): %s"%e) 
    204204                continue 
    205                  
     205 
    206206            # pops the right-angle bracket, too 
    207207            s_list.pop(i) 
    208208        else: 
    209209            i=i+1 
    210              
     210 
    211211    # convert the list back into text 
    212212    join_char='' 
Note: See TracChangeset for help on using the changeset viewer.