From 93f590108fe0eb2ef34a3446f210448a832050d7 Mon Sep 17 00:00:00 2001 From: "Michael W. Olson" Date: Tue, 19 Feb 2008 23:45:20 -0600 Subject: [PATCH] muse-publish: Implement muse-publish-enable-dangerous-tags. --- ChangeLog | 4 ++++ lisp/muse-publish.el | 15 ++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a265e48..93e31d2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,10 @@ * lisp/muse-publish.el (muse-publish-mark-up-tag): Use intern-soft instead of intern. + (muse-publish-enable-dangerous-tags): New option that determines + whether to publish tags that can call external programs or expose + sensitive information. This is useful to set to nil for + publishing files from untrusted sources. 2008-02-10 Michael Olson diff --git a/lisp/muse-publish.el b/lisp/muse-publish.el index a7ef34b..7fd2ea2 100644 --- a/lisp/muse-publish.el +++ b/lisp/muse-publish.el @@ -334,6 +334,16 @@ See `muse-publish-markup-tags' for details." :type 'boolean :group 'muse-publish) +(defcustom muse-publish-enable-dangerous-tags t + "If non-nil, publish tags like and that can +call external programs or expose sensitive information. +Otherwise, ignore tags like this. + +This is useful to set to nil when the file to publish is coming +from an untrusted source." + :type 'boolean + :group 'muse-publish) + (defvar muse-publishing-p nil "Set to t while a page is being published.") (defvar muse-batch-publishing-p nil @@ -945,7 +955,10 @@ This function returns the matching attribute value, if found." (defun muse-publish-markup-tag () (let ((tag-info (muse-markup-tag-info (match-string 1)))) (when (and tag-info - (not (get-text-property (match-beginning 0) 'read-only))) + (not (get-text-property (match-beginning 0) 'read-only)) + (nth 4 tag-info) + (or muse-publish-enable-dangerous-tags + (not (get (nth 4 tag-info) 'muse-dangerous-tag)))) (let ((closed-tag (match-string 3)) (start (match-beginning 0)) (beg (point)) -- 2.11.4.GIT