htmlscrubber: Also allow some other html5 tags: canvas, progress, meter, ruby, rt, rp, details, summary.

master
Joey Hess 2010-05-01 19:28:28 -04:00
parent f1e2d0af12
commit 790a339db1
3 changed files with 21 additions and 14 deletions

View File

@ -85,7 +85,7 @@ sub scrubber {
video audio source section nav article aside hgroup
header footer figure figcaption time mark canvas
datalist
datalist progress meter ruby rt rp details summary
}],
default => [undef, { (
map { $_ => 1 } qw{
@ -104,10 +104,10 @@ sub scrubber {
autofocus autoplay preload loopstart
loopend end playcount controls pubdate
placeholder min max step form required
autocomplete novalidate pattern list
formenctype formmethod formnovalidate
formtarget reversed
placeholder min max step low high optimum
form required autocomplete novalidate pattern
list formenctype formmethod formnovalidate
formtarget reversed spellcheck open
} ),
"/" => 1, # emit proper <hr /> XHTML
href => $safe_url_regexp,

3
debian/changelog vendored
View File

@ -7,7 +7,8 @@ ikiwiki (3.20100428) UNRELEASED; urgency=low
did not support building urls from utf-8 strings. Closes: #579713
* htmlscrubber: Allow html5 semantic tags: section nav article aside hgroup
header footer figure figcaption time mark
* htmlscrubber: Also allow html5 canvas tags.
* htmlscrubber: Also allow some other html5 tags: canvas, progress, meter,
ruby, rt, rp, details, summary.
* htmlscrubber: Round out html5 video support with the preload
attribute and the source tag.
* htmlscrubber: Allow the html5 form attributes: placeholder autofocus,

View File

@ -68,23 +68,29 @@ HTML5](http://www.w3.org/TR/html5-diff/).
> * Use nav for the actionbar
> * Use placeholder in the search box. Allows closing
> [[this_todo|Add_label_to_search_form_input_field]]
> * Use details tag instead of the javascript in the toggle plugin.
> (Need to wait on browser support probably.)
> --[[Joey]]
# htmlscrubber.pm needs to not scrub new HTML5 elements
* [new elements](http://www.w3.org/TR/html5-diff/#new-elements)
> Most of these can be supported trivially, since they are just semantic
> markup. Make a list of these, and their attributes (and which attributes
> can contain urls or other javascript injection mechanisms), and I can add
> them. (Added several now.) Others, like `embed` are *scary*. --[[Joey]]
> Many added now.
>
> Things I left out, too hard to understand today:
> Attributes contenteditabl, contextmenu,
> data-*, draggable, hidden, role, aria-*. Tags command, keygen,
> output.
>
> Clearly unsafe: embed.
>
> Apparently cannot be used w/o javascript: menu.
>
> I have not added the new `ping` attribute, because parsing a
> space-separeated list of urls to avoid javascript injection is annoying,
> and the attribute seems generally dubious.
>
> Need to understand better the attributes contenteditabl, contextmenu,
> data-*, draggable, hidden, role, aria-*. Have not added those. --[[Joey]]
> --[[Joey]]
# HTML5 Validation and t/html.t