]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - IkiWiki/Plugin/htmlscrubber.pm
Do not allow the about: URI scheme
[git.ikiwiki.info.git] / IkiWiki / Plugin / htmlscrubber.pm
index 25caa8a506cdf5ab8ea0c9b0d3e9e935f62bd6f8..e02a8591ef2eac17d9d34eba4031bcdb7ce6b3ab 100644 (file)
@@ -29,16 +29,15 @@ sub scrubber { #{{{
                "ldap", "mid", "news", "nfs", "nntp", "pop", "pres",
                "sip", "sips", "snmp", "tel", "urn", "wais", "xmpp",
                "z39.50r", "z39.50s",
                "ldap", "mid", "news", "nfs", "nntp", "pop", "pres",
                "sip", "sips", "snmp", "tel", "urn", "wais", "xmpp",
                "z39.50r", "z39.50s",
-               # data is a special case. Allow data:text/<image>, but
-               # disallow data:text/javascript and everything else.
-               qr/data:text\/(?:png|gif|jpeg)/,
                # Selected unofficial schemes
                # Selected unofficial schemes
-               "about", "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg",
+               "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg",
                "irc", "ircs", "lastfm", "ldaps", "magnet", "mms",
                "msnim", "notes", "rsync", "secondlife", "skype", "ssh",
                "sftp", "sms", "steam", "webcal", "ymsgr",
        );
                "irc", "ircs", "lastfm", "ldaps", "magnet", "mms",
                "msnim", "notes", "rsync", "secondlife", "skype", "ssh",
                "sftp", "sms", "steam", "webcal", "ymsgr",
        );
-       my $link=qr/^(?:$uri_schemes:|[^:]+$)/i;
+       # data is a special case. Allow data:image/*, but
+       # disallow data:text/javascript and everything else.
+       my $link=qr/^(?:$uri_schemes:|data:image\/|[^:]+$)/i;
 
        eval q{use HTML::Scrubber};
        error($@) if $@;
 
        eval q{use HTML::Scrubber};
        error($@) if $@;