should be safe from javascript attacks.
span strike strong sub sup table tbody td textarea
tfoot th thead tr tt u ul var
}],
- default => [undef, { map { $_ => 1 } qw{
- abbr accept accept-charset accesskey action
- align alt axis border cellpadding cellspacing
- char charoff charset checked cite class
- clear cols colspan color compact coords
- datetime dir disabled enctype for frame
- headers height href hreflang hspace id ismap
- label lang longdesc maxlength media method
- multiple name nohref noshade nowrap prompt
- readonly rel rev rows rowspan rules scope
- selected shape size span src start summary
- tabindex target title type usemap valign
- value vspace width
- }, "/" => 1, # emit proper <hr /> XHTML
- }],
+ default => [undef, { (
+ map { $_ => 1 } qw{
+ abbr accept accept-charset accesskey action
+ align alt axis border cellpadding cellspacing
+ char charoff charset checked cite class
+ clear cols colspan color compact coords
+ datetime dir disabled enctype for frame
+ headers height href hreflang hspace id ismap
+ label lang longdesc maxlength media method
+ multiple name nohref noshade nowrap prompt
+ readonly rel rev rows rowspan rules scope
+ selected shape size span src start summary
+ tabindex target title type usemap valign
+ value vspace width
+ } ),
+ "/" => 1, # emit proper <hr /> XHTML
+ "style" => qr{^[-a-zA-Z0-9]+$}, # only very simple
+ # references allowed,
+ # to avoid javascript
+ }],
);
return $_scrubber;
} # }}}
* Support building on systems that lack asprintf.
* mercurial getctime is currently broken, apparently by some change in
mercurial version 0.9.4. Turn the failing test case into a TODO test case.
+ * Allow simple alphanumeric style attribute values in the htmlscrubber. This
+ should be safe from javascript attacks.
- -- Joey Hess <joeyh@debian.org> Sun, 08 Jul 2007 20:25:00 -0400
+ -- Joey Hess <joeyh@debian.org> Wed, 11 Jul 2007 12:23:41 -0400
ikiwiki (2.3) unstable; urgency=low
It excludes all html tags and attributes except for those that are
whitelisted using the same lists as used by Mark Pilgrim's Universal Feed
Parser, documented at <http://feedparser.org/docs/html-sanitization.html>.
-Notably it strips `style`, `link`, and the `style` attribute.
+Notably it strips `style` and `link`.
+
+For the `style` attribute, it varys slightly from the Universal Feed
+Parser, accepting simple alphanumeric style attributes (style="foo"), but
+stripping anything more complex to avoid any of the ways to insert
+JavaScript via style attributes.
It uses the [[cpan HTML::Scrubber]] perl module to perform its html
sanitisation, and this perl module also deals with various entity encoding
* <span style="background: url(javascript:window.location='http://example.org/')">CSS script test</span>
* <span style="any: expression(window.location='http://example.org/')">entity-encoded CSS script test</span>
* <span style="any: expression(window.location='http://example.org/')">entity-encoded CSS script test</span>
+* <span style="pretty">OTOH, this is ok, and will be accepted</a>
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2007-07-08 20:26-0400\n"
+"POT-Creation-Date: 2007-07-11 12:49-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"