I want to write my blog posts in a convenient format (Emacs org mode)
but do not want commenters to be able to use this format for security
reasons. This patch allows to configure which formats are allowed for
writing comments.
Effectively, it restricts the formats enabled with add_plugin to those
mentioned in comments_allowformats. If this is empty, all formats are
allowed, which is the behavior without this patch.
safe => 0,
rebuild => 0,
},
safe => 0,
rebuild => 0,
},
+ comments_allowformats => {
+ type => 'string',
+ default => '',
+ example => 'mdwn txt',
+ description => 'Restrict formats for comments to (no restriction if empty)',
+ safe => 1,
+ rebuild => 0,
+ },
+
unless defined $config{comments_closed_pagespec};
$config{comments_pagename} = 'comment_'
unless defined $config{comments_pagename};
unless defined $config{comments_closed_pagespec};
$config{comments_pagename} = 'comment_'
unless defined $config{comments_pagename};
+ $config{comments_allowformats} = ''
+ unless defined $config{comments_allowformats};
+sub isallowed ($) {
+ my $format = shift;
+ return ! $config{comments_allowformats} || $config{comments_allowformats} =~ /\b$format\b/;
+}
+
sub preprocess {
my %params = @_;
my $page = $params{page};
my $format = $params{format};
sub preprocess {
my %params = @_;
my $page = $params{page};
my $format = $params{format};
- if (defined $format && ! exists $IkiWiki::hooks{htmlize}{$format}) {
+ if (defined $format && (! exists $IkiWiki::hooks{htmlize}{$format} ||
+ ! isallowed($format))) {
error(sprintf(gettext("unsupported page format %s"), $format));
}
error(sprintf(gettext("unsupported page format %s"), $format));
}
my @page_types;
if (exists $IkiWiki::hooks{htmlize}) {
my @page_types;
if (exists $IkiWiki::hooks{htmlize}) {
- foreach my $key (grep { !/^_/ } keys %{$IkiWiki::hooks{htmlize}}) {
+ foreach my $key (grep { !/^_/ && isallowed($_) } keys %{$IkiWiki::hooks{htmlize}}) {
push @page_types, [$key, $IkiWiki::hooks{htmlize}{$key}{longname} || $key];
}
}
push @page_types, [$key, $IkiWiki::hooks{htmlize}{$key}{longname} || $key];
}
}