* Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubber

and --disable-plugin htmlscrubber.

IkiWiki.pm

@@ -26,7 +26,6 @@ sub defaultconfig () { #{{{
 	diffurl => '',
 	anonok => 0,
 	rss => 0,
-	sanitize => 1,
 	rebuild => 0,
 	refresh => 0,
 	getctime => 0,
@@ -41,7 +40,7 @@ sub defaultconfig () { #{{{
 	setup => undef,
 	adminuser => undef,
 	adminemail => undef,
-	plugin => [qw{inline}],
+	plugin => [qw{inline htmlscrubber}],
 	headercontent => '',
 } #}}}
 	    

IkiWiki/Plugin/htmlscrubber.pm

@@ -0,0 +1,51 @@
+#!/usr/bin/perl
+package IkiWiki::Plugin::htmlscrubber;
+
+use warnings;
+use strict;
+use IkiWiki;
+
+sub import { #{{{
+	IkiWiki::hook(type => "sanitize", id => "htmlscrubber",
+		call => \&sanitize);
+} # }}}
+
+sub sanitize ($) { #{{{
+	return scrubber()->scrub(shift);
+} # }}}
+
+my $_scrubber;
+sub scrubber { #{{{
+	return $_scrubber if defined $_scrubber;
+	
+	eval q{use HTML::Scrubber};
+	# Lists based on http://feedparser.org/docs/html-sanitization.html
+	$_scrubber = HTML::Scrubber->new(
+		allow => [qw{
+			a abbr acronym address area b big blockquote br
+			button caption center cite code col colgroup dd del
+			dfn dir div dl dt em fieldset font form h1 h2 h3 h4
+			h5 h6 hr i img input ins kbd label legend li map
+			menu ol optgroup option p pre q s samp select small
+			span strike strong sub sup table tbody td textarea
+			tfoot th thead tr tt u ul var
+		}],
+		default => [undef, { map { $_ => 1 } qw{
+			abbr accept accept-charset accesskey action
+			align alt axis border cellpadding cellspacing
+			char charoff charset checked cite class
+			clear cols colspan color compact coords
+			datetime dir disabled enctype for frame
+			headers height href hreflang hspace id ismap
+			label lang longdesc maxlength media method
+			multiple name nohref noshade nowrap prompt
+			readonly rel rev rows rowspan rules scope
+			selected shape size span src start summary
+			tabindex target title type usemap valign
+			value vspace width
+		}}],
+	);
+	return $_scrubber;
+} # }}}
+
+1

IkiWiki/Plugin/skeleton.pm

@@ -15,6 +15,8 @@ sub import { #{{{
 		call => \&preprocess);
 	IkiWiki::hook(type => "filter", id => "skeleton", 
 		call => \&filter);
+	IkiWiki::hook(type => "sanitize", id => "skeleton", 
+		call => \&sanitize);
 	IkiWiki::hook(type => "delete", id => "skeleton", 
 		call => \&delete);
 	IkiWiki::hook(type => "change", id => "skeleton", 
@@ -33,11 +35,19 @@ sub preprocess (@) { #{{{
 	return "skeleton plugin result";
 } # }}}
 
-sub filter ($) { #{{{
+sub filter (@) { #{{{
-	my $content=shift;
+	my %params=@_;
 	
 	IkiWiki::debug("skeleton plugin running as filter");
 
+	return $params{content};
+} # }}}
+
+sub sanitize ($) { #{{{
+	my $content=shift;
+	
+	IkiWiki::debug("skeleton plugin running as a sanitizer");
+
 	return $content;
 } # }}}
 

IkiWiki/Render.pm

@@ -19,40 +19,6 @@ sub linkify ($$) { #{{{
 	return $content;
 } #}}}
 
-my $_scrubber;
-sub scrubber { #{{{
-	return $_scrubber if defined $_scrubber;
-	
-	eval q{use HTML::Scrubber};
-	# Lists based on http://feedparser.org/docs/html-sanitization.html
-	$_scrubber = HTML::Scrubber->new(
-		allow => [qw{
-			a abbr acronym address area b big blockquote br
-			button caption center cite code col colgroup dd del
-			dfn dir div dl dt em fieldset font form h1 h2 h3 h4
-			h5 h6 hr i img input ins kbd label legend li map
-			menu ol optgroup option p pre q s samp select small
-			span strike strong sub sup table tbody td textarea
-			tfoot th thead tr tt u ul var
-		}],
-		default => [undef, { map { $_ => 1 } qw{
-			abbr accept accept-charset accesskey action
-			align alt axis border cellpadding cellspacing
-			char charoff charset checked cite class
-			clear cols colspan color compact coords
-			datetime dir disabled enctype for frame
-			headers height href hreflang hspace id ismap
-			label lang longdesc maxlength media method
-			multiple name nohref noshade nowrap prompt
-			readonly rel rev rows rowspan rules scope
-			selected shape size span src start summary
-			tabindex target title type usemap valign
-			value vspace width
-		}}],
-	);
-	return $_scrubber;
-} # }}}
-
 sub htmlize ($$) { #{{{
 	my $type=shift;
 	my $content=shift;
@@ -71,8 +37,10 @@ sub htmlize ($$) { #{{{
 		error("htmlization of $type not supported");
 	}
 
-	if ($config{sanitize}) {
+	if (exists $hooks{sanitize}) {
-		$content=scrubber()->scrub($content);
+		foreach my $id (keys %{$hooks{sanitize}}) {
+			$content=$hooks{sanitize}{$id}{call}->($content);
+		}
 	}
 	
 	return $content;

debian/NEWS

@@ -9,6 +9,11 @@ ikiwiki (1.1) unstable; urgency=low
   search plugin, by passing --plugin=search or through the plugin setting in
   the config file.
 
+  The --sanitize and --no-sanitize switches are also gone, replaced with the
+  htmlscrubber plugin. This plugin is enabled by default, to disable it,
+  use --disable-plugin=htmlscrubber, or modify the plugin setting in the
+  config file.
+
   You will need to rebuild your wiki when upgrading to this version.
   If you listed your wiki in /etc/ikiwiki/wikilist this will be done
   automatically.

debian/changelog

@@ -43,8 +43,10 @@ ikiwiki (1.1) UNRELEASED; urgency=low
   * Copied in some smileys from Moin Moin.
   * Allow links of the form [[some page|page]], with whitespace in the link
     text.
+  * Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubber
+    and --disable-plugin htmlscrubber.
 
- -- Joey Hess <joeyh@debian.org>  Fri,  5 May 2006 00:14:53 -0400
+ -- Joey Hess <joeyh@debian.org>  Fri,  5 May 2006 01:28:19 -0400
 
 ikiwiki (1.0) unstable; urgency=low
 

doc/ikiwiki.setup

@@ -48,8 +48,7 @@ use IkiWiki::Setup::Standard {
 	#anonok => 1,
 	# Generate rss feeds for pages?
 	rss => 1,
-	# Sanitize html?
-	sanitize => 1,
 	# To change the enabled plugins, edit this list
-	#plugin => [qw{pagecount inline brokenlinks hyperestraier smiley}],
+	#plugin => [qw{pagecount inline brokenlinks hyperestraier smiley
+	#              htmlscrubber}],
 }

doc/news/sanitization.mdwn

@@ -1,7 +1,8 @@
-ikiwiki's main outstanding security hole, lack of [[HtmlSanitization]] has
+ikiwiki's main outstanding security hole, lack of html sanitization, has
-now been addressed. ikiwiki now sanitizes html by default.
+now been addressed. ikiwiki now sanitizes html by default, using the
+[[plugins/htmlscrubber]] plugin.
 
 If only trusted parties can edit your wiki's content, then you might want
 to turn this sanitization back off to allow use of potentially dangerous
-tags. To do so, pass --no-sanitize or set "sanitize => 0," in your
+tags. To do so, pass --disable-plugin=sanitize or edit the plugins
-[[ikiwiki.setup]].
+configuration in your [[ikiwiki.setup]].

doc/plugins.mdwn

@@ -1,9 +1,9 @@
 There's documentation if you want to [[write]] your own plugins, or you can install and use plugins contributed by others. 
 
 The ikiwiki package includes some standard plugins that are installed and
-by default. These include [[inline]], [[pagecount]], [[brokenlinks]],
+by default. These include [[inline]], [[htmlscrubber]], [[pagecount]],
-[[search]], [[smiley]], and even [[haiku]]. 
+[[brokenlinks]], [[search]], [[smiley]], and even [[haiku]]. 
-Of these, [[inline]] is enabled by default.
+Of these, [[inline]] and [[htmlscrubber]] are enabled by default.
 
 To enable other plugins, use the `--plugin` switch described in [[usage]],
 or the equivalent line in [[ikiwiki.setup]].

doc/plugins/htmlscrubber.mdwn

@@ -1,13 +1,12 @@
-When run with the `--sanitize` switch, which is turned on by default (see
+This plugin is enabled by default. It sanitizes the html on pages it renders
-[[usage]]), ikiwiki sanitizes the html on pages it renders to avoid XSS
+to avoid XSS attacks and the like.
-attacks and the like.
 
-ikiwiki excludes all html tags and attributes except for those that are
+It excludes all html tags and attributes except for those that are
 whitelisted using the same lists as used by Mark Pilgrim's Universal Feed
 Parser, documented at <http://feedparser.org/docs/html-sanitization.html>.
 Notably it strips `style`, `link`, and the `style` attribute.
 
-ikiwiki uses the HTML::Scrubber perl module to perform its html
+It uses the HTML::Scrubber perl module to perform its html
 sanitisation, and this perl module also deals with various entity encoding
 tricks.
 
@@ -23,7 +22,8 @@ browser.
 
 ----
 
-Some examples of embedded javascript that won't be let through.
+Some examples of embedded javascript that won't be let through when this
+plugin is active:
 
 * <span style="background: url(javascript:window.location='http://example.org/')">test</span>
 * <span style="&#x61;&#x6e;&#x79;&#x3a;&#x20;&#x65;&#x78;&#x70;&#x72;&#x65;&#x73;&#x73;&#x69;&#x6f;&#x6e;&#x28;&#x77;&#x69;&#x6e;&#x64;&#x6f;&#x77;&#x2e;&#x6c;&#x6f;&#x63;&#x61;&#x74;&#x69;&#x6f;&#x6e;&#x3d;&#x27;&#x68;&#x74;&#x74;&#x70;&#x3a;&#x2f;&#x2f;&#x65;&#x78;&#x61;&#x6d;&#x70;&#x6c;&#x65;&#x2e;&#x6f;&#x72;&#x67;&#x2f;&#x27;&#x29;">test</span>

doc/plugins/write.mdwn

@@ -49,7 +49,7 @@ return the error message as the output of the plugin.
 
 ### Html issues
 
-Note that if [[HTMLSanitization]] is enabled, html in
+Note that if the [[htmlscrubber]] is enabled, html in
 [[PreProcessorDirective]] output is sanitised, which may limit what your
 plugin can do. Also, the rest of the page content is not in html format at
 preprocessor time. Text output by a preprocessor directive will be passed
@@ -75,7 +75,16 @@ IkiWiki::error if something isn't configured right.
 
 Runs on the raw source of a page, before anything else touches it, and can
 make arbitrary changes. The function is passed named parameters `page` and
-`content` should return the filtered content.
+`content` and should return the filtered content.
+
+### sanitize
+
+	IkiWiki::hook(type => "filter", id => "foo", call => \&sanitize);
+
+Use this to implement html sanitization or anything else that needs to
+modify the content of a page after it has been fully converted to html.
+The function is passed the page content and should return the sanitized
+content.
 
 ### delete
 

doc/security.mdwn

@@ -215,4 +215,5 @@ pages from source with some other extension.
 
 ## XSS attacks in page content
 
-ikiwiki supports [[HtmlSanitization]], though it can be turned off.
+ikiwiki supports protecting users from their own broken browsers via the
+[[plugins/htmlscrubber]] plugin, which is enabled by default.

doc/todo/plugin.mdwn

@@ -25,8 +25,6 @@ Suggestions of ideas for plugins:
   or something. It's possible that this is a special case of backlinks and
   is best implemented by making backlinks a plugin somehow. --[[Joey]]
 
-* Splitting out html sanitisation should be easy to do.
-
 * interwiki links
 
 All the kinds of plugins that blogging software has is also a possibility:

doc/usage.mdwn

@@ -162,16 +162,16 @@ These options configure the wiki.
   Currently allows locking of any page, other powers may be added later.
   May be specified multiple times for multiple admins.
 
-* --sanitize
-
-  Enable [[HtmlSanitization]] of wiki content. On by default, disable with
-  --no-sanitize.
-
 * --plugin name
 
   Enables the use of the specified plugin in the wiki. See [[plugins]] for
   details. Note that plugin names are case sensative.
 
+* --disable-plugin name
+
+  Disables use of a plugin. For example "--disable-plugin htmlscrubber"
+  to do away with html sanitization.
+
 * --verbose
 
   Be vebose about what is being done.

ikiwiki

@@ -29,7 +29,6 @@ sub getconfig () { #{{{
 			"rss!" => \$config{rss},
 			"cgi!" => \$config{cgi},
 			"notify!" => \$config{notify},
-			"sanitize!" => \$config{sanitize},
 			"url=s" => \$config{url},
 			"cgiurl=s" => \$config{cgiurl},
 			"historyurl=s" => \$config{historyurl},
@@ -54,7 +53,10 @@ sub getconfig () { #{{{
 			},
 			"plugin=s@" => sub {
 				push @{$config{plugin}}, $_[1];
-			}
+			},
+			"disable-plugin=s@" => sub {
+				$config{plugin}=[grep { $_ ne $_[1] } @{$config{plugin}} ];
+			},
 		) || usage();
 
 		if (! $config{setup}) {