X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/7f64dd4f6688149306282f1a2a951535b9493300..b857b229d8ff3601bbf01fafa51a3b3d3da928d8:/IkiWiki/Plugin/htmlscrubber.pm?ds=sidebyside diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm index 8e8391817..3bdaccea1 100644 --- a/IkiWiki/Plugin/htmlscrubber.pm +++ b/IkiWiki/Plugin/htmlscrubber.pm @@ -3,47 +3,86 @@ package IkiWiki::Plugin::htmlscrubber; use warnings; use strict; -use IkiWiki; +use IkiWiki 2.00; + +# This regexp matches urls that are in a known safe scheme. +# Feel free to use it from other plugins. +our $safe_url_regexp; sub import { #{{{ - IkiWiki::hook(type => "sanitize", id => "htmlscrubber", - call => \&sanitize); + hook(type => "sanitize", id => "htmlscrubber", call => \&sanitize); + + # Only known uri schemes are allowed to avoid all the ways of + # embedding javascrpt. + # List at http://en.wikipedia.org/wiki/URI_scheme + my $uri_schemes=join("|", map quotemeta, + # IANA registered schemes + "http", "https", "ftp", "mailto", "file", "telnet", "gopher", + "aaa", "aaas", "acap", "cap", "cid", "crid", + "dav", "dict", "dns", "fax", "go", "h323", "im", "imap", + "ldap", "mid", "news", "nfs", "nntp", "pop", "pres", + "sip", "sips", "snmp", "tel", "urn", "wais", "xmpp", + "z39.50r", "z39.50s", + # Selected unofficial schemes + "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg", + "irc", "ircs", "lastfm", "ldaps", "magnet", "mms", + "msnim", "notes", "rsync", "secondlife", "skype", "ssh", + "sftp", "smb", "sms", "snews", "webcal", "ymsgr", + ); + # data is a special case. Allow data:image/*, but + # disallow data:text/javascript and everything else. + $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i; } # }}} -sub sanitize ($) { #{{{ - return scrubber()->scrub(shift); +sub sanitize (@) { #{{{ + my %params=@_; + return scrubber()->scrub($params{content}); } # }}} my $_scrubber; sub scrubber { #{{{ return $_scrubber if defined $_scrubber; - + eval q{use HTML::Scrubber}; + error($@) if $@; # Lists based on http://feedparser.org/docs/html-sanitization.html + # With html 5 video and audio tags added. $_scrubber = HTML::Scrubber->new( allow => [qw{ - a abbr acronym address area b big blockquote br + a abbr acronym address area b big blockquote br br/ button caption center cite code col colgroup dd del dfn dir div dl dt em fieldset font form h1 h2 h3 h4 - h5 h6 hr i img input ins kbd label legend li map - menu ol optgroup option p pre q s samp select small + h5 h6 hr hr/ i img input ins kbd label legend li map + menu ol optgroup option p p/ pre q s samp select small span strike strong sub sup table tbody td textarea tfoot th thead tr tt u ul var + video audio }], - default => [undef, { map { $_ => 1 } qw{ - abbr accept accept-charset accesskey action - align alt axis border cellpadding cellspacing - char charoff charset checked cite class - clear cols colspan color compact coords - datetime dir disabled enctype for frame - headers height href hreflang hspace id ismap - label lang longdesc maxlength media method - multiple name nohref noshade nowrap prompt - readonly rel rev rows rowspan rules scope - selected shape size span src start summary - tabindex target title type usemap valign - value vspace width - }, "/" => 1, # emit proper