1 # ===================================================================== 2 # cmtFilter.awk: content filtering function for page comments. 3 # 4 # Copyright (c) 2007-2011 Carlo Strozzi 5 # 6 # This program is free software; you can redistribute it and/or modify 7 # it under the terms of the GNU General Public License as published by 8 # the Free Software Foundation; version 2 dated June, 1991. 9 # 10 # This program is distributed in the hope that it will be useful, 11 # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 # GNU General Public License for more details. 14 # 15 # You should have received a copy of the GNU General Public License 16 # along with this program; if not, write to the Free Software 17 # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 18 # 19 # ===================================================================== 20 21 # ===================================================================== 22 # string cmtFilter(string content) 23 # ===================================================================== 24 25 function cmtFilter(content, value,max) { 26 27 # No hard-coded formatting is accepted, so I "crush" \n and \t 28 # by turning them into spaces. 29 30 gsub(/[\n\t]+/," ",content) 31 32 value = _strip(content,_O_MIDDLE) 33 34 # Set default maximum comment body length. 35 if (!(max=ENVIRON["TNS_CMT_MAXLEN"]/1)) max = 2048 36 37 if (length(value) > max) return "-" 38 39 # Apply filtering for allowed [X]HTML markup. Only a minimal, 40 # case-sensitive subset of elements is accepted in the comment body. 41 # For an element to be accepted it must be written exactly as shown 42 # and it must not have attributes. It is up to the user to write 43 # well-formed XML text, or tidy(1) (if used) will complain. 44 45 gsub(//,"\001em>",value) 46 gsub(/<\/em>/,"\001/em>",value) 47 gsub(//,"\001strong>",value) 48 gsub(/<\/strong>/,"\001/strong>",value) 49 50 # Empty elements should be well-formed XML in any case, because 51 # the text entered by the user will have to undergo a pass through 52 # tidy(1) even if we are abiding by a non-XHTML syntax. If this is 53 # not done, then the risk of having users break the overall site 54 # layout by entering malformed HTML tags is too high. 55 56 gsub(/
/,"\001hr/>",value) 57 gsub(/
/,"\001br/>",value) 58 59 gsub(/
/,"\001ul>",value) 60 gsub(/<\/ul>/,"\001/ul>",value) 61 gsub(/
/,"\001ol>",value) 62 gsub(/<\/ol>/,"\001/ol>",value) 63 gsub(/
/,"\001li>",value) 64 gsub(/<\/li>/,"\001/li>",value) 65 66 # Turn "" and "" into the more compliant "" and "". 67 68 gsub(//,"\001em>",value) 69 gsub(/<\/i>/,"\001/em>",value) 70 gsub(//,"\001strong>",value) 71 gsub(/<\/b>/,"\001/strong>",value) 72 73 # Quotation tags. 74 gsub(//,"\001q>",value) 75 gsub(/<\/q>/,"\001/q>",value) 76 77 # Strip any other markup. 78 gsub(/<[^>]*>/,_NULL,value) 79 80 # Restore opening tag for allowed markup. 81 gsub(/\001/,"<",value) 82 83 # This will prevent the injection of CSA processing instructions. 84 # Disabling CPI only in the comment body would not suffice, as 85 # it would still be possible to inject them into other parts 86 # of the comment, such as the subject etc. I therefore prefer 87 # not to prevent CPI insertion, which means that users will be 88 # able to inject CPI statements. This is one more reason for 89 # CPI directives to be simple and harmless. The only one caveat 90 # that I can see is that users will be able to inject also 91 # "invisible" text by using the (::DEL:) and (:DEL::) directives, 92 # which is somewhat disturbing. 93 # 94 #while (value ~ /\(:[^)]*:\)/) sub(/\(:/,"\\((",value) 95 96 # In XML mode, text containing no CDATA is considered to be empty. 97 if (_bool(ENVIRON["CSA_XMLISH"]) == _TRUE) { 98 if ("
" value "
" !~ />.*[a-zA-Z0-9]+.*