[Checkins] SVN: lovely.tal/trunk/ - always strip out script-tags
Juergen Kartnaller
juergen at kartnaller.at
Tue Feb 3 03:06:16 EST 2009
Log message for revision 96018:
- always strip out script-tags
- added "allow-scripts" for explicit enabling of script-tags
Changed:
U lovely.tal/trunk/CHANGES.txt
U lovely.tal/trunk/src/lovely/tal/README.txt
U lovely.tal/trunk/src/lovely/tal/sample.pt
U lovely.tal/trunk/src/lovely/tal/textformatter.py
-=-
Modified: lovely.tal/trunk/CHANGES.txt
===================================================================
--- lovely.tal/trunk/CHANGES.txt 2009-02-03 06:40:58 UTC (rev 96017)
+++ lovely.tal/trunk/CHANGES.txt 2009-02-03 08:06:16 UTC (rev 96018)
@@ -2,6 +2,12 @@
lovely.tal
==========
+after
+=====
+
+ - always strip out script-tags
+ - added "allow-scripts" for explicit enabling of script-tags
+
2008/11/12 0.5.0a1:
===================
Modified: lovely.tal/trunk/src/lovely/tal/README.txt
===================================================================
--- lovely.tal/trunk/src/lovely/tal/README.txt 2009-02-03 06:40:58 UTC (rev 96017)
+++ lovely.tal/trunk/src/lovely/tal/README.txt 2009-02-03 08:06:16 UTC (rev 96018)
@@ -247,6 +247,78 @@
'ein superlangerstring…'
+
+Option 'allow-scripts'
+======================
+
+the option 'allow-scripts' has to be set explicitly if you want to include scripts.
+
+ >>> context = Context({'allow-all':True, 'allow-scripts':True})
+ >>> html = """<p>this is html containing a
+ ... <script type="text/javascript">
+ ... alert("i'm not allowed');
+ ... </script> script.
+ ... </p>"""
+ >>> print tf._doFormat(html, context)
+ <p>this is html containing a
+ <script type="text/javascript">
+ alert("i'm not allowed');
+ </script> script.
+ </p>
+
+
+if not, all scripts will be stripped out although allow-all is enabled::
+
+ >>> context = Context({'allow-all':True})
+ >>> html = """<p>this is html containing a
+ ... <script type="text/javascript">
+ ... alert("i'm not allowed');
+ ... </script> script.
+ ... </p>"""
+ >>> print tf._doFormat(html, context)
+ <p>this is html containing a
+ script.
+ </p>
+
+test uppercase and whitespaces::
+
+ >>> html = """<p>this is html containing a
+ ... < SCRIPT
+ ... type="text/javascript">
+ ... alert("i'm not allowed');
+ ... < /SCRIPT > script.
+ ... </p>"""
+ >>> print tf._doFormat(html, context)
+ <p>this is html containing a
+ script.
+ </p>
+
+escaped scripttags::
+
+ >>> html = """<p>this is html containing a
+ ... <script type="text/javascript">
+ ... alert("i'm not allowed');
+ ... </SCRIPT> script.
+ ... </p>"""
+ >>> print tf._doFormat(html, context)
+ <p>this is html containing a
+ script.
+ </p>
+
+
+escaped scripts including whitespace and different case::
+
+ >>> html = """<p>this is html containing a
+ ... <SCRIPT
+ ... type="text/javascript">
+ ... alert("i'm not allowed');
+ ... < /SCRIPT > script.
+ ... </p>"""
+ >>> print tf._doFormat(html, context)
+ <p>this is html containing a
+ script.
+ </p>
+
Option 'urlparse'
=================
Modified: lovely.tal/trunk/src/lovely/tal/sample.pt
===================================================================
--- lovely.tal/trunk/src/lovely/tal/sample.pt 2009-02-03 06:40:58 UTC (rev 96017)
+++ lovely.tal/trunk/src/lovely/tal/sample.pt 2009-02-03 08:06:16 UTC (rev 96018)
@@ -11,9 +11,12 @@
contain no html-tags, therefor the < and > are replaced
by <, >
- option allow-all: allow all html-tags in the string
+ option allow-all: allow all html-tags in the string (excluding scripts)
e. g. "allow-all: 'True'"
+ option allow-scripts: explicitly allow scripts in the string
+ e. g. "allow-scripts: python:True"
+
option break-string: force the string to break after a given number of characters
e.g. "break-string python:25" breaks the string after
a sequence of 25 characters not containing a linebreak
Modified: lovely.tal/trunk/src/lovely/tal/textformatter.py
===================================================================
--- lovely.tal/trunk/src/lovely/tal/textformatter.py 2009-02-03 06:40:58 UTC (rev 96017)
+++ lovely.tal/trunk/src/lovely/tal/textformatter.py 2009-02-03 08:06:16 UTC (rev 96018)
@@ -17,6 +17,8 @@
import re
from zope.tales.expressions import PathExpr
+NO_SCRIPTS = re.compile('<\s*script[^>]+>(.*)<\s*\/script\s*>', re.I | re.DOTALL)
+NO_ESCAPED_SCRIPTS = re.compile('<\s*script[^&]+.*<\s*\/script\s*>', re.I | re.DOTALL)
class TextFormatter(PathExpr):
@@ -31,6 +33,9 @@
allowAll = ('allow-all' in context.vars)
+ if not 'allow-scripts' in context.vars:
+ rendered = self._stripScripts(rendered, context)
+
if 'clear-html' in context.vars:
rendered = self._clearHTML(rendered, context)
@@ -160,6 +165,11 @@
return rendered + attach
return rendered
+ def _stripScripts(self, rendered, context):
+ rendered = re.sub(NO_SCRIPTS, '', rendered)
+ rendered = re.sub(NO_ESCAPED_SCRIPTS, '', rendered)
+ return rendered
+
def _urlparse(self, rendered, context):
#searches for urls coded with www. or http:
More information about the Checkins
mailing list