liquid_feedback_frontend

changeset 1842:27d2a7609cc1

find changesets by author, revision, files, or words in the commit message
Allow <pre> tag in util.html_is_safe(...)
author jbe
date Thu Feb 03 15:54:23 2022 +0100 (2022-02-03)
parents e6983d79d74f
children b01d9920371b
files env/util/html_is_safe.lua
line diff
     1.1 --- a/env/util/html_is_safe.lua	Thu Feb 03 15:21:45 2022 +0100
     1.2 +++ b/env/util/html_is_safe.lua	Thu Feb 03 15:54:23 2022 +0100
     1.3 @@ -17,6 +17,7 @@
     1.4    local heading = false  -- <h1-6> tag open
     1.5    local list    = false  -- <ol> or <ul> (but no corresponding <li>) tag open
     1.6    local listelm = false  -- <li> tag (but no further <ol> or <ul> tag) open
     1.7 +  local pre     = false  -- <pre> tag open
     1.8  
     1.9    -- Function looped with tail-calls:
    1.10    local function loop(str)
    1.11 @@ -25,8 +26,8 @@
    1.12      --       even if HTML5 allows it.
    1.13  
    1.14      -- Find any "<" or ">" character and determine context, i.e.
    1.15 -    -- pre = text before character, tag = text until closing ">", and rest:
    1.16 -    local pre, tag, rest = string.match(str, "^(.-)([<>][^<>]*>?)(.*)")
    1.17 +    -- prefix = text before character, tag = text until closing ">", and rest:
    1.18 +    local prefix, tag, rest = string.match(str, "^(.-)([<>][^<>]*>?)(.*)")
    1.19  
    1.20      -- If no more "<" or ">" characters are found,
    1.21      -- then return true if all tags have been closed:
    1.22 @@ -40,7 +41,7 @@
    1.23  
    1.24      -- Disallow text content (except inter-element white-space) in <ol> or <ul>
    1.25      -- when outside <li>:
    1.26 -    if list and string.find(pre, "[^\t\n\f\r ]") then
    1.27 +    if list and string.find(prefix, "[^\t\n\f\r ]") then
    1.28        return false, "Text content in list but outside list element"
    1.29      end
    1.30  
    1.31 @@ -68,6 +69,8 @@
    1.32        elseif closed_tagname == "li" then
    1.33          listelm = false
    1.34          list = true
    1.35 +      elseif closed_tagname == "pre" then
    1.36 +        pre = false
    1.37        end
    1.38        stack[#stack] = nil
    1.39        return loop(rest)
    1.40 @@ -156,8 +159,16 @@
    1.41        return loop(rest)
    1.42      end
    1.43  
    1.44 +    -- Always allow <pre>
    1.45 +    if tagname == "pre" then
    1.46 +        pre = true
    1.47 +        return loop(rest)
    1.48 +    end
    1.49 +
    1.50      -- Remaining tags require no open <p>, <b>, <i>, <sup>, <sub>,
    1.51      -- <a href="...">, or <h1>..</h6> tag:
    1.52 +    -- TODO: HTML also requires that no <pre> tag is open, but check not done
    1.53 +    -- here due to used WYSIWYG editor
    1.54      if para or bold or italic or supsub or link or heading then
    1.55        return false, "Forbidden child tag within paragraph, bold, italic, super/subscript, link, or heading tag"
    1.56      end

Impressum / About Us