diff --git a/code/__HELPERS/text.dm b/code/__HELPERS/text.dm index da9d8b34bc..a493aa9d08 100644 --- a/code/__HELPERS/text.dm +++ b/code/__HELPERS/text.dm @@ -140,7 +140,24 @@ return t_out - +//checks text for html tags +//if tag is not in whitelist (var/list/paper_tag_whitelist in global.dm) +//relpaces < with < +proc/checkhtml(var/t) + t = sanitize_simple(t, list("&#"=".")) + var/p = findtext(t,"<",1) + while (p) //going through all the tags + var/start = p++ + var/tag = copytext(t,p, p+1) + if (tag != "/") + while (reject_bad_text(copytext(t, p, p+1), 1)) + tag = copytext(t,start, p) + p++ + tag = copytext(t,start+1, p) + if (!(tag in paper_tag_whitelist)) //if it's unkown tag, disarming it + t = copytext(t,1,start-1) + "<" + copytext(t,start+1) + p = findtext(t,"<",p) + return t /* * Text searches */ diff --git a/code/global.dm b/code/global.dm index 3a81f7bac4..cd6e374a94 100644 --- a/code/global.dm +++ b/code/global.dm @@ -27,6 +27,12 @@ var/global/list/global_map = null ////////////// +var/list/paper_tag_whitelist = list("center","p","div","span","h1","h2","h3","h4","h5","h6","hr","pre", \ + "big","small","font","i","u","b","s","sub","sup","tt","br","hr","ol","ul","li","caption","col", \ + "table","td","th","tr") +var/list/paper_blacklist = list("java","onblur","onchange","onclick","ondblclick","onfocus","onkeydown", \ + "onkeypress","onkeyup","onload","onmousedown","onmousemove","onmouseout","onmouseover", \ + "onmouseup","onreset","onselect","onsubmit","onunload") var/BLINDBLOCK = 0 var/DEAFBLOCK = 0 diff --git a/code/modules/paperwork/paper.dm b/code/modules/paperwork/paper.dm index 528e3b942f..439bf62baf 100644 --- a/code/modules/paperwork/paper.dm +++ b/code/modules/paperwork/paper.dm @@ -236,7 +236,8 @@ if(href_list["write"]) var/id = href_list["write"] //var/t = strip_html_simple(input(usr, "What text do you wish to add to " + (id=="end" ? "the end of the paper" : "field "+id) + "?", "[name]", null),8192) as message - var/t = strip_html_simple(input("Enter what you want to write:", "Write", null, null) as message, MAX_MESSAGE_LEN) + //var/t = strip_html_simple(input("Enter what you want to write:", "Write", null, null) as message, MAX_MESSAGE_LEN) + var/t = input("Enter what you want to write:", "Write", null, null) as message var/obj/item/i = usr.get_active_hand() // Check to see if he still got that darn pen, also check if he's using a crayon or pen. var/iscrayon = 0 if(!istype(i, /obj/item/weapon/pen)) @@ -248,6 +249,17 @@ if((!in_range(src, usr) && loc != usr && !( istype(loc, /obj/item/weapon/clipboard) ) && loc.loc != usr && usr.get_active_hand() != i)) // Some check to see if he's allowed to write return + t = checkhtml(t) + + // check for exploits + for(var/bad in paper_blacklist) + if(findtext(t,bad)) + usr << "\blue You think to yourself, \"Hm.. this is only paper...\"" + log_admin("PAPER: [usr] ([usr.ckey]) tried to use forbidden word in [src]: [bad].") + message_admins("PAPER: [usr] ([usr.ckey]) tried to use forbidden word in [src]: [bad].") + return + + t = replacetext(t, "\n", "
") t = parsepencode(t, i, usr, iscrayon) // Encode everything from pencode to html if(id!="end")