diff --git a/doc/config.html b/doc/config.html index bbbb902e..b68942a1 100755 --- a/doc/config.html +++ b/doc/config.html @@ -2340,6 +2340,14 @@ Options Location = Main Building{a}, New Building{b}, Old Building{c} be allowed for installations where it is really needed and with no public write access. +
  • + Allow HTML = 0|1
    + This flag allows or denys the usage of HTML in attributes. Note that + allowing HTML encoding may cause some security risk, since an elog + entry may contain malicious scripting code. It should therefor only + be allowed for installations where it is really needed and with no + public write access. The default value is 0. +
  • Suppress default = 0|1|2|3
    This specifies the default state of the "Suppress Email diff --git a/src/elogd.c b/src/elogd.c index e32db132..a4e6662e 100755 --- a/src/elogd.c +++ b/src/elogd.c @@ -5408,6 +5408,16 @@ int is_html(char *s) return FALSE; } +/*------------------------------------------------------------------*/ + +int html_allowed(LOGBOOK *lbs) +{ + char str[80]; + + return (getcfg(lbs->name, "Allow HTML", str, sizeof(str)) && atoi(str) == 1); +} + + /*------------------------------------------------------------------*/ char *script_tags[] = { "onerror", "onabort", "onchange", "onclick", "ondblclick", "onfocus", "onkeydown", @@ -16860,7 +16870,8 @@ void display_line(LOGBOOK * lbs, int message_id, int number, char *mode, int exp else rsprintf("\n"); - if (is_html(display) && !is_script(display)) + + if (is_html(display) && !is_script(display) && html_allowed(lbs)) rsputs(display); else rsputs2(lbs, absolute_link, display); @@ -17013,7 +17024,7 @@ void display_line(LOGBOOK * lbs, int message_id, int number, char *mode, int exp } else rsprintf(", "); - if (is_html(attrib[i]) && !is_script(attrib[i])) + if (is_html(attrib[i]) && !is_script(attrib[i]) && html_allowed(lbs)) rsputs(attrib[i]); else rsputs2(lbs, absolute_link, attrib[i]); @@ -17083,7 +17094,7 @@ void display_line(LOGBOOK * lbs, int message_id, int number, char *mode, int exp } else rsprintf(", "); - if (is_html(attrib[i]) && !is_script(attrib[i])) + if (is_html(attrib[i]) && !is_script(attrib[i]) && html_allowed(lbs)) rsputs(attrib[i]); else rsputs2(lbs, absolute_link, attrib[i]); @@ -17153,49 +17164,45 @@ void display_line(LOGBOOK * lbs, int message_id, int number, char *mode, int exp else { rsprintf("", sclass); - if (is_html(attrib[i]) && !is_script(attrib[i])) - rsputs(attrib[i]); + if (disp_attr_link == NULL || disp_attr_link[index]) + rsprintf("", ref); + + sprintf(str, "List Change %s", attr_list[i]); + if (getcfg(lbs->name, str, display, sizeof(display))) { + j = build_subst_list(lbs, (char (*)[NAME_LENGTH]) slist, + (char (*)[NAME_LENGTH]) svalue, attrib, TRUE); + sprintf(str, "%d", message_id); + add_subst_list((char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, + "message id", str, &j); + add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, + "entry time", date, &j, 0); + + strsubst_list(display, sizeof(display), (char (*)[NAME_LENGTH]) slist, + (char (*)[NAME_LENGTH]) svalue, j); + + } else + strcpy(display, attrib[i]); + + if (is_html(display) && !is_script(display) && html_allowed(lbs)) + rsputs(display); else { - if (disp_attr_link == NULL || disp_attr_link[index]) - rsprintf("", ref); - - sprintf(str, "List Change %s", attr_list[i]); - if (getcfg(lbs->name, str, display, sizeof(display))) { - j = build_subst_list(lbs, (char (*)[NAME_LENGTH]) slist, - (char (*)[NAME_LENGTH]) svalue, attrib, TRUE); - sprintf(str, "%d", message_id); - add_subst_list((char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, - "message id", str, &j); - add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH]) svalue, - "entry time", date, &j, 0); - - strsubst_list(display, sizeof(display), (char (*)[NAME_LENGTH]) slist, - (char (*)[NAME_LENGTH]) svalue, j); - - } else - strcpy(display, attrib[i]); - - if (is_html(display) && !is_script(display)) - rsputs(display); - else { - if (isparam(attr_list[i])) { - highlight_searchtext(re_buf + 1 + i, display, str, TRUE); - strlcpy(display, str, sizeof(display)); - } else if (isparam("subtext") && isparam("sall") && atoi(getparam("sall"))) { - highlight_searchtext(re_buf, display, str, TRUE); - strlcpy(display, str, sizeof(display)); - } - rsputs2(lbs, absolute_link, display); + if (isparam(attr_list[i])) { + highlight_searchtext(re_buf + 1 + i, display, str, TRUE); + strlcpy(display, str, sizeof(display)); + } else if (isparam("subtext") && isparam("sall") && atoi(getparam("sall"))) { + highlight_searchtext(re_buf, display, str, TRUE); + strlcpy(display, str, sizeof(display)); } - - if (disp_attr_link == NULL || disp_attr_link[index]) - rsprintf(""); - - /* at least one space to produce non-empty table cell */ - if (!display[0]) - rsprintf(" "); + rsputs2(lbs, absolute_link, display); } + if (disp_attr_link == NULL || disp_attr_link[index]) + rsprintf(""); + + /* at least one space to produce non-empty table cell */ + if (!display[0]) + rsprintf(" "); + rsprintf(""); } } @@ -23739,7 +23746,7 @@ void show_elog_entry(LOGBOOK * lbs, char *dec_path, char *command) } else strcpy(display, attrib[i]); - if (is_html(display) && !is_script(display)) + if (is_html(display) && !is_script(display) && html_allowed(lbs)) rsputs(display); else rsputs2(lbs, email, display);