Disable unsecure rst directives for online commenting

diff --git a/blitiri.cgi b/blitiri.cgi
index f9663b554e422404ad3896d27e60bc7e8f8038d9..0ec5326f99e404565f47cae64bc1eac8da79b337 100755 (executable)
--- a/blitiri.cgi
+++ b/blitiri.cgi
@@ -405,20 +405,22 @@ div.section h1 {
 """
 
 # helper functions
-def rst_to_html(rst):
+def rst_to_html(rst, secure = True):
        settings = {
                'input_encoding': encoding,
                'output_encoding': 'utf8',
                'halt_level': 1,
                'traceback':  1,
+               'file_insertion_enabled': secure,
+               'raw_enabled': secure,
        }
        parts = publish_parts(rst, settings_overrides = settings,
                                writer_name = "html")
        return parts['body'].encode('utf8')
 
-def validate_rst(rst):
+def validate_rst(rst, secure = True):
        try:
-               rst_to_html(rst)
+               rst_to_html(rst, secure)
                return None
        except SystemMessage, e:
                desc = e.args[0].encode('utf-8') # the error string
@@ -1133,7 +1135,7 @@ def handle_cgi():
                        form_data.body_error = 'please, write a comment'
                        valid = False
                else:
-                       error = validate_rst(form_data.body)
+                       error = validate_rst(form_data.body, secure=False)
                        if error is not None:
                                (line, desc, ctx) = error
                                at = ''