urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

on second thought, simple alphanumeric styles are not actually useful (class is already supported), and anything more complex is too hard to do, so revert

master
joey 2007-07-11 17:57:02 +00:00
parent a8fa52080d
commit 03dc63588c
3 changed files with 1 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
IkiWiki/Plugin/htmlscrubber.pm
View File

@ -47,9 +47,6 @@ sub scrubber { #{{{
value vspace width
} ),
"/" => 1, # emit proper <hr /> XHTML
"style" => qr{^[-a-zA-Z0-9]+$}, # only very simple
# references allowed,
# to avoid javascript
}],
);
return $_scrubber;

2
debian/changelog vendored
View File

@ -7,8 +7,6 @@ ikiwiki (2.4) UNRELEASED; urgency=low
* Support building on systems that lack asprintf.
* mercurial getctime is currently broken, apparently by some change in
mercurial version 0.9.4. Turn the failing test case into a TODO test case.
* Allow simple alphanumeric style attribute values in the htmlscrubber. This
should be safe from javascript attacks.
-- Joey Hess <joeyh@debian.org> Wed, 11 Jul 2007 12:23:41 -0400

8
doc/plugins/htmlscrubber.mdwn
View File

@ -7,12 +7,7 @@ to avoid XSS attacks and the like.
It excludes all html tags and attributes except for those that are
whitelisted using the same lists as used by Mark Pilgrim's Universal Feed
Parser, documented at <http://feedparser.org/docs/html-sanitization.html>.
Notably it strips `style` and `link`.
For the `style` attribute, it varys slightly from the Universal Feed
Parser, accepting simple alphanumeric style attributes (style="foo"), but
stripping anything more complex to avoid any of the ways to insert
JavaScript via style attributes.
Notably it strips `style` and `link` tags, and the `style` attribute.
It uses the [[cpan HTML::Scrubber]] perl module to perform its html
sanitisation, and this perl module also deals with various entity encoding
@ -41,4 +36,3 @@ plugin is active:
* <span style="background: url(javascript:window.location='http://example.org/')">CSS script test</span>
* <span style="&#x61;&#x6e;&#x79;&#x3a;&#x20;&#x65;&#x78;&#x70;&#x72;&#x65;&#x73;&#x73;&#x69;&#x6f;&#x6e;&#x28;&#x77;&#x69;&#x6e;&#x64;&#x6f;&#x77;&#x2e;&#x6c;&#x6f;&#x63;&#x61;&#x74;&#x69;&#x6f;&#x6e;&#x3d;&#x27;&#x68;&#x74;&#x74;&#x70;&#x3a;&#x2f;&#x2f;&#x65;&#x78;&#x61;&#x6d;&#x70;&#x6c;&#x65;&#x2e;&#x6f;&#x72;&#x67;&#x2f;&#x27;&#x29;">entity-encoded CSS script test</span>
* <span style="&#97;&#110;&#121;&#58;&#32;&#101;&#120;&#112;&#114;&#101;&#115;&#115;&#105;&#111;&#110;&#40;&#119;&#105;&#110;&#100;&#111;&#119;&#46;&#108;&#111;&#99;&#97;&#116;&#105;&#111;&#110;&#61;&#39;&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#101;&#120;&#97;&#109;&#112;&#108;&#101;&#46;&#111;&#114;&#103;&#47;&#39;&#41;">entity-encoded CSS script test</span>
* <span style="pretty">OTOH, this is ok, and will be accepted</a>