From c175833b9cb725493b25bc62ad4da99b54a58497 Mon Sep 17 00:00:00 2001 From: Chinsky Date: Tue, 15 Jan 2013 07:17:21 +0400 Subject: [PATCH 1/2] Started working on making paper use HTML instead of only BBCode again. Whitelisting system for tags. Blacklist for words like 'java' and names of even triggers. Might move to whitelist for those too, on Mini's suggestion. --- code/global.dm | 6 ++++++ code/modules/paperwork/paper.dm | 28 +++++++++++++++++++++++++++- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/code/global.dm b/code/global.dm index d0ca913571c..b48e18a5a13 100644 --- a/code/global.dm +++ b/code/global.dm @@ -26,6 +26,12 @@ var/global/list/global_map = null ////////////// +var/list/paper_tag_whitelist = list("center","p","div","span","h1","h2","h3","h4","h5","h6","hr","pre", \ + "big","small","font","i","u","b","s","sub","sup","tt","br","hr","img","ol","ul","li","caption","col", \ + "table","td","th","tr") +var/list/paper_blacklist = list("java","onblur","onchange","onclick","ondblclick","onfocus","onkeydown", \ + "onkeypress","onkeyup","onload","onmousedown","onmousemove","onmouseout","onmouseover", \ + "onmouseup","onreset","onselect","onsubmit","onunload") var/BLINDBLOCK = 0 var/DEAFBLOCK = 0 diff --git a/code/modules/paperwork/paper.dm b/code/modules/paperwork/paper.dm index e59e05b7279..c0c5f262e7a 100644 --- a/code/modules/paperwork/paper.dm +++ b/code/modules/paperwork/paper.dm @@ -231,7 +231,8 @@ if(href_list["write"]) var/id = href_list["write"] //var/t = strip_html_simple(input(usr, "What text do you wish to add to " + (id=="end" ? "the end of the paper" : "field "+id) + "?", "[name]", null),8192) as message - var/t = strip_html_simple(input("Enter what you want to write:", "Write", null, null) as message, MAX_MESSAGE_LEN) + //var/t = strip_html_simple(input("Enter what you want to write:", "Write", null, null) as message, MAX_MESSAGE_LEN) + var/t = input("Enter what you want to write:", "Write", null, null) as message var/obj/item/i = usr.get_active_hand() // Check to see if he still got that darn pen, also check if he's using a crayon or pen. var/iscrayon = 0 if(!istype(i, /obj/item/weapon/pen)) @@ -243,6 +244,31 @@ if((!in_range(src, usr) && loc != usr && !( istype(loc, /obj/item/weapon/clipboard) ) && loc.loc != usr && usr.get_active_hand() != i)) // Some check to see if he's allowed to write return + t = sanitize_simple(t, list("&#"=".")) + var/p = findtext(t,"<",1) + while (p) //going through all the tags + var/start = p++ + tag = copytext(t,p, p+1) + world << "2 [copytext(t,p, p+1)]" + if (tag != "/") + while (reject_bad_text(copytext(t, p, p+1), 1)) + tag = copytext(t,start, p) + p++ + tag = copytext(t,start+1, p) + world << "Tag is [tag] at [start]" + if (!(tag in paper_tag_whitelist)) //if it's unkown tag, disarming it + t = copytext(t,1,start-1) + "<" + copytext(t,start+1) + p = findtext(t,"<",p) + + // check for exploits + for(var/bad in paper_blacklist) + if(findtext(t,bad)) + usr << "\blue You think to yourself, \"Hm.. this is only paper...\"" + log_admin("PAPER: [usr] ([usr.ckey]) tried to use forbidden word in [src]: [bad].") + message_admins("PAPER: [usr] ([usr.ckey]) tried to use forbidden word in [src]: [bad].") + return + + t = replacetext(t, "\n", "
") t = parsepencode(t, i, usr, iscrayon) // Encode everything from pencode to html if(id!="end") From e34d033cc94d5a534b11f4e9d9973c9466f9f3f6 Mon Sep 17 00:00:00 2001 From: Chinsky Date: Tue, 12 Feb 2013 20:43:22 +0400 Subject: [PATCH 2/2] Moved tag whitelist check to HELPERS. Removed img tag from whitelist. --- code/__HELPERS/text.dm | 19 ++++++++++++++++++- code/global.dm | 2 +- code/modules/paperwork/paper.dm | 16 +--------------- 3 files changed, 20 insertions(+), 17 deletions(-) diff --git a/code/__HELPERS/text.dm b/code/__HELPERS/text.dm index da9d8b34bce..a493aa9d080 100644 --- a/code/__HELPERS/text.dm +++ b/code/__HELPERS/text.dm @@ -140,7 +140,24 @@ return t_out - +//checks text for html tags +//if tag is not in whitelist (var/list/paper_tag_whitelist in global.dm) +//relpaces < with < +proc/checkhtml(var/t) + t = sanitize_simple(t, list("&#"=".")) + var/p = findtext(t,"<",1) + while (p) //going through all the tags + var/start = p++ + var/tag = copytext(t,p, p+1) + if (tag != "/") + while (reject_bad_text(copytext(t, p, p+1), 1)) + tag = copytext(t,start, p) + p++ + tag = copytext(t,start+1, p) + if (!(tag in paper_tag_whitelist)) //if it's unkown tag, disarming it + t = copytext(t,1,start-1) + "<" + copytext(t,start+1) + p = findtext(t,"<",p) + return t /* * Text searches */ diff --git a/code/global.dm b/code/global.dm index 568e7a180c7..591f90cc5f7 100644 --- a/code/global.dm +++ b/code/global.dm @@ -28,7 +28,7 @@ var/global/list/global_map = null ////////////// var/list/paper_tag_whitelist = list("center","p","div","span","h1","h2","h3","h4","h5","h6","hr","pre", \ - "big","small","font","i","u","b","s","sub","sup","tt","br","hr","img","ol","ul","li","caption","col", \ + "big","small","font","i","u","b","s","sub","sup","tt","br","hr","ol","ul","li","caption","col", \ "table","td","th","tr") var/list/paper_blacklist = list("java","onblur","onchange","onclick","ondblclick","onfocus","onkeydown", \ "onkeypress","onkeyup","onload","onmousedown","onmousemove","onmouseout","onmouseover", \ diff --git a/code/modules/paperwork/paper.dm b/code/modules/paperwork/paper.dm index 20ec1f450d3..439bf62baf1 100644 --- a/code/modules/paperwork/paper.dm +++ b/code/modules/paperwork/paper.dm @@ -249,21 +249,7 @@ if((!in_range(src, usr) && loc != usr && !( istype(loc, /obj/item/weapon/clipboard) ) && loc.loc != usr && usr.get_active_hand() != i)) // Some check to see if he's allowed to write return - t = sanitize_simple(t, list("&#"=".")) - var/p = findtext(t,"<",1) - while (p) //going through all the tags - var/start = p++ - tag = copytext(t,p, p+1) - world << "2 [copytext(t,p, p+1)]" - if (tag != "/") - while (reject_bad_text(copytext(t, p, p+1), 1)) - tag = copytext(t,start, p) - p++ - tag = copytext(t,start+1, p) - world << "Tag is [tag] at [start]" - if (!(tag in paper_tag_whitelist)) //if it's unkown tag, disarming it - t = copytext(t,1,start-1) + "<" + copytext(t,start+1) - p = findtext(t,"<",p) + t = checkhtml(t) // check for exploits for(var/bad in paper_blacklist)