);
# data is a special case. Allow a few data:image/ types,
# but disallow data:text/javascript and everything else.
- $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|[\/\?]))/i;
+ $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|[\/\?#]))|^#/i;
}
sub getsetup () {
span strike strong sub sup table tbody td textarea
tfoot th thead tr tt u ul var
- video audio section nav article aside hgroup header
- footer time mark
+ video audio source section nav article aside hgroup
+ header footer figure figcaption time mark canvas
+ datalist progress meter ruby rt rp details summary
}],
default => [undef, { (
map { $_ => 1 } qw{
tabindex target title type valign
value vspace width
- autoplay loopstart loopend end
- playcount controls pubdate
+ autofocus autoplay preload loopstart
+ loopend end playcount controls pubdate
+ placeholder min max step low high optimum
+ form required autocomplete novalidate pattern
+ list formenctype formmethod formnovalidate
+ formtarget reversed spellcheck open hidden
} ),
"/" => 1, # emit proper <hr /> XHTML
href => $safe_url_regexp,
src => $safe_url_regexp,
action => $safe_url_regexp,
+ formaction => $safe_url_regexp,
cite => $safe_url_regexp,
longdesc => $safe_url_regexp,
poster => $safe_url_regexp,