X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/89256ab870299242c2f62858680c4a2870600a14..d851ae76f66e62896bb875f57588f4265ea33094:/IkiWiki/Plugin/htmlscrubber.pm diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm index 7398c8478..a58a27d52 100644 --- a/IkiWiki/Plugin/htmlscrubber.pm +++ b/IkiWiki/Plugin/htmlscrubber.pm @@ -3,13 +3,13 @@ package IkiWiki::Plugin::htmlscrubber; use warnings; use strict; -use IkiWiki 2.00; +use IkiWiki 3.00; # This regexp matches urls that are in a known safe scheme. # Feel free to use it from other plugins. our $safe_url_regexp; -sub import { #{{{ +sub import { hook(type => "getsetup", id => "htmlscrubber", call => \&getsetup); hook(type => "sanitize", id => "htmlscrubber", call => \&sanitize); @@ -30,16 +30,17 @@ sub import { #{{{ "msnim", "notes", "rsync", "secondlife", "skype", "ssh", "sftp", "smb", "sms", "snews", "webcal", "ymsgr", ); - # data is a special case. Allow data:image/*, but - # disallow data:text/javascript and everything else. - $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i; -} # }}} + # data is a special case. Allow a few data:image/ types, + # but disallow data:text/javascript and everything else. + $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|[\/\?#]))|^#/i; +} -sub getsetup () { #{{{ +sub getsetup () { return plugin => { safe => 1, rebuild => undef, + section => "core", }, htmlscrubber_skip => { type => "pagespec", @@ -49,29 +50,29 @@ sub getsetup () { #{{{ safe => 1, rebuild => undef, }, -} #}}} +} -sub sanitize (@) { #{{{ +sub sanitize (@) { my %params=@_; if (exists $config{htmlscrubber_skip} && length $config{htmlscrubber_skip} && - exists $params{destpage} && - pagespec_match($params{destpage}, $config{htmlscrubber_skip})) { + exists $params{page} && + pagespec_match($params{page}, $config{htmlscrubber_skip})) { return $params{content}; } return scrubber()->scrub($params{content}); -} # }}} +} my $_scrubber; -sub scrubber { #{{{ +sub scrubber { return $_scrubber if defined $_scrubber; eval q{use HTML::Scrubber}; error($@) if $@; # Lists based on http://feedparser.org/docs/html-sanitization.html - # With html 5 video and audio tags added. + # With html5 tags added. $_scrubber = HTML::Scrubber->new( allow => [qw{ a abbr acronym address area b big blockquote br br/ @@ -81,7 +82,10 @@ sub scrubber { #{{{ menu ol optgroup option p p/ pre q s samp select small span strike strong sub sup table tbody td textarea tfoot th thead tr tt u ul var - video audio + + video audio source section nav article aside hgroup + header footer figure figcaption time mark canvas + datalist progress meter ruby rt rp details summary }], default => [undef, { ( map { $_ => 1 } qw{ @@ -97,13 +101,19 @@ sub scrubber { #{{{ selected shape size span start summary tabindex target title type valign value vspace width - autoplay loopstart loopend end - playcount controls + + autofocus autoplay preload loopstart + loopend end playcount controls pubdate + placeholder min max step low high optimum + form required autocomplete novalidate pattern + list formenctype formmethod formnovalidate + formtarget reversed spellcheck open hidden } ), "/" => 1, # emit proper
XHTML href => $safe_url_regexp, src => $safe_url_regexp, action => $safe_url_regexp, + formaction => $safe_url_regexp, cite => $safe_url_regexp, longdesc => $safe_url_regexp, poster => $safe_url_regexp, @@ -111,6 +121,6 @@ sub scrubber { #{{{ }], ); return $_scrubber; -} # }}} +} 1