on second thought, simple alphanumeric styles are not actually useful (class is already supported), and anything more complex is too hard to do, so revert

master
joey 2007-07-11 17:57:02 +00:00
parent a8fa52080d
commit 03dc63588c
3 changed files with 1 additions and 12 deletions

View File

@ -47,9 +47,6 @@ sub scrubber { #{{{
value vspace width value vspace width
} ), } ),
"/" => 1, # emit proper <hr /> XHTML "/" => 1, # emit proper <hr /> XHTML
"style" => qr{^[-a-zA-Z0-9]+$}, # only very simple
# references allowed,
# to avoid javascript
}], }],
); );
return $_scrubber; return $_scrubber;

2
debian/changelog vendored
View File

@ -7,8 +7,6 @@ ikiwiki (2.4) UNRELEASED; urgency=low
* Support building on systems that lack asprintf. * Support building on systems that lack asprintf.
* mercurial getctime is currently broken, apparently by some change in * mercurial getctime is currently broken, apparently by some change in
mercurial version 0.9.4. Turn the failing test case into a TODO test case. mercurial version 0.9.4. Turn the failing test case into a TODO test case.
* Allow simple alphanumeric style attribute values in the htmlscrubber. This
should be safe from javascript attacks.
-- Joey Hess <joeyh@debian.org> Wed, 11 Jul 2007 12:23:41 -0400 -- Joey Hess <joeyh@debian.org> Wed, 11 Jul 2007 12:23:41 -0400

View File

@ -7,12 +7,7 @@ to avoid XSS attacks and the like.
It excludes all html tags and attributes except for those that are It excludes all html tags and attributes except for those that are
whitelisted using the same lists as used by Mark Pilgrim's Universal Feed whitelisted using the same lists as used by Mark Pilgrim's Universal Feed
Parser, documented at <http://feedparser.org/docs/html-sanitization.html>. Parser, documented at <http://feedparser.org/docs/html-sanitization.html>.
Notably it strips `style` and `link`. Notably it strips `style` and `link` tags, and the `style` attribute.
For the `style` attribute, it varys slightly from the Universal Feed
Parser, accepting simple alphanumeric style attributes (style="foo"), but
stripping anything more complex to avoid any of the ways to insert
JavaScript via style attributes.
It uses the [[cpan HTML::Scrubber]] perl module to perform its html It uses the [[cpan HTML::Scrubber]] perl module to perform its html
sanitisation, and this perl module also deals with various entity encoding sanitisation, and this perl module also deals with various entity encoding
@ -41,4 +36,3 @@ plugin is active:
* <span style="background: url(javascript:window.location='http://example.org/')">CSS script test</span> * <span style="background: url(javascript:window.location='http://example.org/')">CSS script test</span>
* <span style="&#x61;&#x6e;&#x79;&#x3a;&#x20;&#x65;&#x78;&#x70;&#x72;&#x65;&#x73;&#x73;&#x69;&#x6f;&#x6e;&#x28;&#x77;&#x69;&#x6e;&#x64;&#x6f;&#x77;&#x2e;&#x6c;&#x6f;&#x63;&#x61;&#x74;&#x69;&#x6f;&#x6e;&#x3d;&#x27;&#x68;&#x74;&#x74;&#x70;&#x3a;&#x2f;&#x2f;&#x65;&#x78;&#x61;&#x6d;&#x70;&#x6c;&#x65;&#x2e;&#x6f;&#x72;&#x67;&#x2f;&#x27;&#x29;">entity-encoded CSS script test</span> * <span style="&#x61;&#x6e;&#x79;&#x3a;&#x20;&#x65;&#x78;&#x70;&#x72;&#x65;&#x73;&#x73;&#x69;&#x6f;&#x6e;&#x28;&#x77;&#x69;&#x6e;&#x64;&#x6f;&#x77;&#x2e;&#x6c;&#x6f;&#x63;&#x61;&#x74;&#x69;&#x6f;&#x6e;&#x3d;&#x27;&#x68;&#x74;&#x74;&#x70;&#x3a;&#x2f;&#x2f;&#x65;&#x78;&#x61;&#x6d;&#x70;&#x6c;&#x65;&#x2e;&#x6f;&#x72;&#x67;&#x2f;&#x27;&#x29;">entity-encoded CSS script test</span>
* <span style="&#97;&#110;&#121;&#58;&#32;&#101;&#120;&#112;&#114;&#101;&#115;&#115;&#105;&#111;&#110;&#40;&#119;&#105;&#110;&#100;&#111;&#119;&#46;&#108;&#111;&#99;&#97;&#116;&#105;&#111;&#110;&#61;&#39;&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#101;&#120;&#97;&#109;&#112;&#108;&#101;&#46;&#111;&#114;&#103;&#47;&#39;&#41;">entity-encoded CSS script test</span> * <span style="&#97;&#110;&#121;&#58;&#32;&#101;&#120;&#112;&#114;&#101;&#115;&#115;&#105;&#111;&#110;&#40;&#119;&#105;&#110;&#100;&#111;&#119;&#46;&#108;&#111;&#99;&#97;&#116;&#105;&#111;&#110;&#61;&#39;&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#101;&#120;&#97;&#109;&#112;&#108;&#101;&#46;&#111;&#114;&#103;&#47;&#39;&#41;">entity-encoded CSS script test</span>
* <span style="pretty">OTOH, this is ok, and will be accepted</a>