Fossil SCM
Added an option to enable ALL HTML, CSS and JavaScript tags/attributes for wiki pages. This comes with a strong warning against doing so on any public project.
Commit
db344436c26577680586ecdac67fa5c2bf3f21c1
Parent
1bf6cf832df74b9…
2 files changed
+11
+23
-10
+11
| --- src/setup.c | ||
| +++ src/setup.c | ||
| @@ -930,10 +930,21 @@ | ||
| 930 | 930 | @ <blockquote>%h(g.zBaseURL)/home</blockquote> |
| 931 | 931 | @ |
| 932 | 932 | @ <p>The default "/home" page displays a Wiki page with the same name |
| 933 | 933 | @ as the Project Name specified above. Some sites prefer to redirect |
| 934 | 934 | @ to a documentation page (ex: "/doc/tip/index.wiki") or to "/timeline".</p> |
| 935 | + @ <hr /> | |
| 936 | + onoff_attribute("Enable ALL HTML tags and attributes on Wiki pages", | |
| 937 | + "wiki-all-html", "wiki-all-html", 0); | |
| 938 | + @ <p>Allow ALL HTML tags and attributes on Wiki pages. This should only | |
| 939 | + @ be enabled when you trust all wiki contributors. By enabling this option | |
| 940 | + @ it is possible for malicious users to insert dangerous HTML, CSS and | |
| 941 | + @ JavaScript code. When this option is disabled, only safe HTML tags | |
| 942 | + @ and attributes will be allowed.</p> | |
| 943 | + @ | |
| 944 | + @ <p>It is highly recommended that this option not be enabled for public | |
| 945 | + @ projects with open wiki's.</p> | |
| 935 | 946 | @ <hr /> |
| 936 | 947 | @ <p><input type="submit" name="submit" value="Apply Changes"></p> |
| 937 | 948 | @ </form> |
| 938 | 949 | db_end_transaction(0); |
| 939 | 950 | style_footer(); |
| 940 | 951 |
| --- src/setup.c | |
| +++ src/setup.c | |
| @@ -930,10 +930,21 @@ | |
| 930 | @ <blockquote>%h(g.zBaseURL)/home</blockquote> |
| 931 | @ |
| 932 | @ <p>The default "/home" page displays a Wiki page with the same name |
| 933 | @ as the Project Name specified above. Some sites prefer to redirect |
| 934 | @ to a documentation page (ex: "/doc/tip/index.wiki") or to "/timeline".</p> |
| 935 | @ <hr /> |
| 936 | @ <p><input type="submit" name="submit" value="Apply Changes"></p> |
| 937 | @ </form> |
| 938 | db_end_transaction(0); |
| 939 | style_footer(); |
| 940 |
| --- src/setup.c | |
| +++ src/setup.c | |
| @@ -930,10 +930,21 @@ | |
| 930 | @ <blockquote>%h(g.zBaseURL)/home</blockquote> |
| 931 | @ |
| 932 | @ <p>The default "/home" page displays a Wiki page with the same name |
| 933 | @ as the Project Name specified above. Some sites prefer to redirect |
| 934 | @ to a documentation page (ex: "/doc/tip/index.wiki") or to "/timeline".</p> |
| 935 | @ <hr /> |
| 936 | onoff_attribute("Enable ALL HTML tags and attributes on Wiki pages", |
| 937 | "wiki-all-html", "wiki-all-html", 0); |
| 938 | @ <p>Allow ALL HTML tags and attributes on Wiki pages. This should only |
| 939 | @ be enabled when you trust all wiki contributors. By enabling this option |
| 940 | @ it is possible for malicious users to insert dangerous HTML, CSS and |
| 941 | @ JavaScript code. When this option is disabled, only safe HTML tags |
| 942 | @ and attributes will be allowed.</p> |
| 943 | @ |
| 944 | @ <p>It is highly recommended that this option not be enabled for public |
| 945 | @ projects with open wiki's.</p> |
| 946 | @ <hr /> |
| 947 | @ <p><input type="submit" name="submit" value="Apply Changes"></p> |
| 948 | @ </form> |
| 949 | db_end_transaction(0); |
| 950 | style_footer(); |
| 951 |
+23
-10
| --- src/wiki.c | ||
| +++ src/wiki.c | ||
| @@ -193,13 +193,17 @@ | ||
| 193 | 193 | style_submenu_element("History", "History", "%s/whistory?name=%T", |
| 194 | 194 | g.zTop, zPageName); |
| 195 | 195 | } |
| 196 | 196 | } |
| 197 | 197 | style_header(zPageName); |
| 198 | - blob_init(&wiki, zBody, -1); | |
| 199 | - wiki_convert(&wiki, 0, 0); | |
| 200 | - blob_reset(&wiki); | |
| 198 | + if (db_get_int("wiki-all-html",0)==1) { | |
| 199 | + @ %s(zBody) | |
| 200 | + } else { | |
| 201 | + blob_init(&wiki, zBody, -1); | |
| 202 | + wiki_convert(&wiki, 0, 0); | |
| 203 | + blob_reset(&wiki); | |
| 204 | + } | |
| 201 | 205 | if( !isSandbox ){ |
| 202 | 206 | manifest_clear(&m); |
| 203 | 207 | } |
| 204 | 208 | style_footer(); |
| 205 | 209 | } |
| @@ -302,16 +306,20 @@ | ||
| 302 | 306 | zBody = mprintf("<i>Empty Page</i>"); |
| 303 | 307 | } |
| 304 | 308 | zHtmlPageName = mprintf("Edit: %s", zPageName); |
| 305 | 309 | style_header(zHtmlPageName); |
| 306 | 310 | if( P("preview")!=0 ){ |
| 307 | - blob_zero(&wiki); | |
| 308 | - blob_append(&wiki, zBody, -1); | |
| 309 | - @ Preview:<hr> | |
| 310 | - wiki_convert(&wiki, 0, 0); | |
| 311 | + @ Preview:<hr> | |
| 312 | + if (db_get_int("wiki-all-html",0)==1) { | |
| 313 | + @ %s(zBody) | |
| 314 | + } else { | |
| 315 | + blob_zero(&wiki); | |
| 316 | + blob_append(&wiki, zBody, -1); | |
| 317 | + wiki_convert(&wiki, 0, 0); | |
| 318 | + blob_reset(&wiki); | |
| 319 | + } | |
| 311 | 320 | @ <hr> |
| 312 | - blob_reset(&wiki); | |
| 313 | 321 | } |
| 314 | 322 | for(n=2, z=zBody; z[0]; z++){ |
| 315 | 323 | if( z[0]=='\n' ) n++; |
| 316 | 324 | } |
| 317 | 325 | if( n<20 ) n = 20; |
| @@ -480,14 +488,19 @@ | ||
| 480 | 488 | style_header(zHtmlPageName); |
| 481 | 489 | if( P("preview")!=0 ){ |
| 482 | 490 | Blob preview; |
| 483 | 491 | blob_zero(&preview); |
| 484 | 492 | appendRemark(&preview); |
| 493 | + | |
| 485 | 494 | @ Preview:<hr> |
| 486 | - wiki_convert(&preview, 0, 0); | |
| 487 | - @ <hr> | |
| 495 | + if (db_get_int("wiki-all-html",0)==1) { | |
| 496 | + @ %s(blob_str(&preview)) | |
| 497 | + } else { | |
| 498 | + wiki_convert(&preview, 0, 0); | |
| 499 | + } | |
| 488 | 500 | blob_reset(&preview); |
| 501 | + @ <hr> | |
| 489 | 502 | } |
| 490 | 503 | zUser = PD("u", g.zLogin); |
| 491 | 504 | @ <form method="POST" action="%s(g.zBaseURL)/wikiappend"> |
| 492 | 505 | login_insert_csrf_secret(); |
| 493 | 506 | @ <input type="hidden" name="name" value="%h(zPageName)"> |
| 494 | 507 |
| --- src/wiki.c | |
| +++ src/wiki.c | |
| @@ -193,13 +193,17 @@ | |
| 193 | style_submenu_element("History", "History", "%s/whistory?name=%T", |
| 194 | g.zTop, zPageName); |
| 195 | } |
| 196 | } |
| 197 | style_header(zPageName); |
| 198 | blob_init(&wiki, zBody, -1); |
| 199 | wiki_convert(&wiki, 0, 0); |
| 200 | blob_reset(&wiki); |
| 201 | if( !isSandbox ){ |
| 202 | manifest_clear(&m); |
| 203 | } |
| 204 | style_footer(); |
| 205 | } |
| @@ -302,16 +306,20 @@ | |
| 302 | zBody = mprintf("<i>Empty Page</i>"); |
| 303 | } |
| 304 | zHtmlPageName = mprintf("Edit: %s", zPageName); |
| 305 | style_header(zHtmlPageName); |
| 306 | if( P("preview")!=0 ){ |
| 307 | blob_zero(&wiki); |
| 308 | blob_append(&wiki, zBody, -1); |
| 309 | @ Preview:<hr> |
| 310 | wiki_convert(&wiki, 0, 0); |
| 311 | @ <hr> |
| 312 | blob_reset(&wiki); |
| 313 | } |
| 314 | for(n=2, z=zBody; z[0]; z++){ |
| 315 | if( z[0]=='\n' ) n++; |
| 316 | } |
| 317 | if( n<20 ) n = 20; |
| @@ -480,14 +488,19 @@ | |
| 480 | style_header(zHtmlPageName); |
| 481 | if( P("preview")!=0 ){ |
| 482 | Blob preview; |
| 483 | blob_zero(&preview); |
| 484 | appendRemark(&preview); |
| 485 | @ Preview:<hr> |
| 486 | wiki_convert(&preview, 0, 0); |
| 487 | @ <hr> |
| 488 | blob_reset(&preview); |
| 489 | } |
| 490 | zUser = PD("u", g.zLogin); |
| 491 | @ <form method="POST" action="%s(g.zBaseURL)/wikiappend"> |
| 492 | login_insert_csrf_secret(); |
| 493 | @ <input type="hidden" name="name" value="%h(zPageName)"> |
| 494 |
| --- src/wiki.c | |
| +++ src/wiki.c | |
| @@ -193,13 +193,17 @@ | |
| 193 | style_submenu_element("History", "History", "%s/whistory?name=%T", |
| 194 | g.zTop, zPageName); |
| 195 | } |
| 196 | } |
| 197 | style_header(zPageName); |
| 198 | if (db_get_int("wiki-all-html",0)==1) { |
| 199 | @ %s(zBody) |
| 200 | } else { |
| 201 | blob_init(&wiki, zBody, -1); |
| 202 | wiki_convert(&wiki, 0, 0); |
| 203 | blob_reset(&wiki); |
| 204 | } |
| 205 | if( !isSandbox ){ |
| 206 | manifest_clear(&m); |
| 207 | } |
| 208 | style_footer(); |
| 209 | } |
| @@ -302,16 +306,20 @@ | |
| 306 | zBody = mprintf("<i>Empty Page</i>"); |
| 307 | } |
| 308 | zHtmlPageName = mprintf("Edit: %s", zPageName); |
| 309 | style_header(zHtmlPageName); |
| 310 | if( P("preview")!=0 ){ |
| 311 | @ Preview:<hr> |
| 312 | if (db_get_int("wiki-all-html",0)==1) { |
| 313 | @ %s(zBody) |
| 314 | } else { |
| 315 | blob_zero(&wiki); |
| 316 | blob_append(&wiki, zBody, -1); |
| 317 | wiki_convert(&wiki, 0, 0); |
| 318 | blob_reset(&wiki); |
| 319 | } |
| 320 | @ <hr> |
| 321 | } |
| 322 | for(n=2, z=zBody; z[0]; z++){ |
| 323 | if( z[0]=='\n' ) n++; |
| 324 | } |
| 325 | if( n<20 ) n = 20; |
| @@ -480,14 +488,19 @@ | |
| 488 | style_header(zHtmlPageName); |
| 489 | if( P("preview")!=0 ){ |
| 490 | Blob preview; |
| 491 | blob_zero(&preview); |
| 492 | appendRemark(&preview); |
| 493 | |
| 494 | @ Preview:<hr> |
| 495 | if (db_get_int("wiki-all-html",0)==1) { |
| 496 | @ %s(blob_str(&preview)) |
| 497 | } else { |
| 498 | wiki_convert(&preview, 0, 0); |
| 499 | } |
| 500 | blob_reset(&preview); |
| 501 | @ <hr> |
| 502 | } |
| 503 | zUser = PD("u", g.zLogin); |
| 504 | @ <form method="POST" action="%s(g.zBaseURL)/wikiappend"> |
| 505 | login_insert_csrf_secret(); |
| 506 | @ <input type="hidden" name="name" value="%h(zPageName)"> |
| 507 |