]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - IkiWiki/Plugin/htmlscrubber.pm
Add automated test for using the CGI with git, including CVE-2016-10026
[git.ikiwiki.info.git] / IkiWiki / Plugin / htmlscrubber.pm
index 505a6f14293c7a35c4e2846e8ca0964dc0822066..a58a27d5221acc50e932057b9fabaffcf38c7b97 100644 (file)
@@ -32,7 +32,7 @@ sub import {
        );
        # data is a special case. Allow a few data:image/ types,
        # but disallow data:text/javascript and everything else.
-       $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|[\/\?]))/i;
+       $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|[\/\?#]))|^#/i;
 }
 
 sub getsetup () {
@@ -57,8 +57,8 @@ sub sanitize (@) {
 
        if (exists $config{htmlscrubber_skip} &&
            length $config{htmlscrubber_skip} &&
-           exists $params{destpage} &&
-           pagespec_match($params{destpage}, $config{htmlscrubber_skip})) {
+           exists $params{page} &&
+           pagespec_match($params{page}, $config{htmlscrubber_skip})) {
                return $params{content};
        }
 
@@ -107,7 +107,7 @@ sub scrubber {
                                placeholder min max step low high optimum
                                form required autocomplete novalidate pattern
                                list formenctype formmethod formnovalidate
-                               formtarget reversed spellcheck open
+                               formtarget reversed spellcheck open hidden
                        } ),
                        "/" => 1, # emit proper <hr /> XHTML
                        href => $safe_url_regexp,