]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blob - IkiWiki/Plugin/htmlscrubber.pm
httpauth: When it's the only auth method, avoid a pointless and confusing signin...
[git.ikiwiki.info.git] / IkiWiki / Plugin / htmlscrubber.pm
1 #!/usr/bin/perl
2 package IkiWiki::Plugin::htmlscrubber;
4 use warnings;
5 use strict;
6 use IkiWiki 3.00;
8 # This regexp matches urls that are in a known safe scheme.
9 # Feel free to use it from other plugins.
10 our $safe_url_regexp;
12 sub import {
13         hook(type => "getsetup", id => "htmlscrubber", call => \&getsetup);
14         hook(type => "sanitize", id => "htmlscrubber", call => \&sanitize);
16         # Only known uri schemes are allowed to avoid all the ways of
17         # embedding javascrpt.
18         # List at http://en.wikipedia.org/wiki/URI_scheme
19         my $uri_schemes=join("|", map quotemeta,
20                 # IANA registered schemes
21                 "http", "https", "ftp", "mailto", "file", "telnet", "gopher",
22                 "aaa", "aaas", "acap",  "cap", "cid", "crid", 
23                 "dav", "dict", "dns", "fax", "go", "h323", "im", "imap",
24                 "ldap", "mid", "news", "nfs", "nntp", "pop", "pres",
25                 "sip", "sips", "snmp", "tel", "urn", "wais", "xmpp",
26                 "z39.50r", "z39.50s",
27                 # Selected unofficial schemes
28                 "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg",
29                 "irc", "ircs", "lastfm", "ldaps", "magnet", "mms",
30                 "msnim", "notes", "rsync", "secondlife", "skype", "ssh",
31                 "sftp", "smb", "sms", "snews", "webcal", "ymsgr",
32         );
33         # data is a special case. Allow a few data:image/ types,
34         # but disallow data:text/javascript and everything else.
35         $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|[\/\?#]))|^#/i;
36 }
38 sub getsetup () {
39         return
40                 plugin => {
41                         safe => 1,
42                         rebuild => undef,
43                         section => "core",
44                 },
45                 htmlscrubber_skip => {
46                         type => "pagespec",
47                         example => "!*/Discussion",
48                         description => "PageSpec specifying pages not to scrub",
49                         link => "ikiwiki/PageSpec",
50                         safe => 1,
51                         rebuild => undef,
52                 },
53 }
55 sub sanitize (@) {
56         my %params=@_;
58         if (exists $config{htmlscrubber_skip} &&
59             length $config{htmlscrubber_skip} &&
60             exists $params{page} &&
61             pagespec_match($params{page}, $config{htmlscrubber_skip})) {
62                 return $params{content};
63         }
65         return scrubber()->scrub($params{content});
66 }
68 my $_scrubber;
69 sub scrubber {
70         return $_scrubber if defined $_scrubber;
72         eval q{use HTML::Scrubber};
73         error($@) if $@;
74         # Lists based on http://feedparser.org/docs/html-sanitization.html
75         # With html5 tags added.
76         $_scrubber = HTML::Scrubber->new(
77                 allow => [qw{
78                         a abbr acronym address area b big blockquote br br/
79                         button caption center cite code col colgroup dd del
80                         dfn dir div dl dt em fieldset font form h1 h2 h3 h4
81                         h5 h6 hr hr/ i img input ins kbd label legend li map
82                         menu ol optgroup option p p/ pre q s samp select small
83                         span strike strong sub sup table tbody td textarea
84                         tfoot th thead tr tt u ul var
86                         video audio source section nav article aside hgroup
87                         header footer figure figcaption time mark canvas
88                         datalist progress meter ruby rt rp details summary
89                 }],
90                 default => [undef, { (
91                         map { $_ => 1 } qw{
92                                 abbr accept accept-charset accesskey
93                                 align alt axis border cellpadding cellspacing
94                                 char charoff charset checked class
95                                 clear cols colspan color compact coords
96                                 datetime dir disabled enctype for frame
97                                 headers height hreflang hspace id ismap
98                                 label lang maxlength media method
99                                 multiple name nohref noshade nowrap prompt
100                                 readonly rel rev rows rowspan rules scope
101                                 selected shape size span start summary
102                                 tabindex target title type valign
103                                 value vspace width
105                                 autofocus autoplay preload loopstart
106                                 loopend end playcount controls pubdate
107                                 placeholder min max step low high optimum
108                                 form required autocomplete novalidate pattern
109                                 list formenctype formmethod formnovalidate
110                                 formtarget reversed spellcheck open hidden
111                         } ),
112                         "/" => 1, # emit proper <hr /> XHTML
113                         href => $safe_url_regexp,
114                         src => $safe_url_regexp,
115                         action => $safe_url_regexp,
116                         formaction => $safe_url_regexp,
117                         cite => $safe_url_regexp,
118                         longdesc => $safe_url_regexp,
119                         poster => $safe_url_regexp,
120                         usemap => $safe_url_regexp,
121                 }],
122         );
123         return $_scrubber;