Commit Graph

43 Commits (f95b1c7fd7f9e4168add1e860a2758c948fd2a39)

Author SHA1 Message Date
Joey Hess f3beb9cb44
htmlscrubber: Add support for the video tag's loop and muted attributes.
Those were not in the original html5 spec, but have been added in the
whatwg html living standard and have wide browser support.

This commit was sponsored by John Peloquin on Patreon.
2017-07-11 15:51:44 -04:00
Joey Hess 7173ef1b13 htmlscrubber: Allow the URI schemes of major VCS's. 2013-01-05 17:25:47 -04:00
Joey Hess 3d6ee9eccd htmlscrubber: Allow the bitcoin URI scheme. 2012-12-22 16:15:38 -04:00
Joey Hess 289b30a47d Fix htmlscrubber_skip to be matched on the source page, not the page it is inlined into. Should allow setting to "* and !comment(*)" to scrub comments, but leave your blog posts unscrubbed, etc. 2010-11-12 00:00:54 -04:00
Joey Hess 9b9ecda62f htmlscrubber: Do not scrub url anchors that contain colons. 2010-08-19 13:59:31 -04:00
Joey Hess ccafb10007 enable hidden attribute 2010-05-01 19:59:16 -04:00
Joey Hess 790a339db1 htmlscrubber: Also allow some other html5 tags: canvas, progress, meter, ruby, rt, rp, details, summary. 2010-05-01 19:28:28 -04:00
Joey Hess f1e2d0af12 more html5 attributes 2010-05-01 19:11:03 -04:00
Joey Hess 78cee5140a add rest of html5 form attributes
It's easy to imagine pattern being used to freeze or crash browsers, if
they implement it stupidly. Let's hope not..
2010-05-01 18:44:37 -04:00
Joey Hess 80f9a2a087 add figure and figcaption 2010-05-01 18:31:33 -04:00
Joey Hess 0a139aba82 htmlscrubber: Allow the html5 form attributes: placeholder autofocus, min, max, step. 2010-05-01 18:27:53 -04:00
Joey Hess 442bc59a15 htmlscrubber: Allow the placeholder attribute. 2010-05-01 18:14:50 -04:00
Joey Hess 73c8209484 more html5
* htmlscrubber: Also allow html5 canvas tags.
* htmlscrubber: Round out html5 video support with the preload
  attribute and the source tag.
2010-05-01 17:56:35 -04:00
Joey Hess 80f2042464 htmlscrubber: Allow html5 semantic tags: section nav article aside hgroup header footer time mark 2010-05-01 16:34:47 -04:00
Joey Hess 104919ee07 htmlscrubber: Allow colons in url fragments after '?'
Colons are not allowed at the start of urls, because it can be interpreted
as a protocol, and allowing arbitrary protocols can be unsafe
(CVE-2008-0809). However, this check was too restrictive, not allowing
use of eg, "video.ogv?t=0:03:00/0:04:00" to seek to a given place in a
video, or "somecgi?foo=bar:baz" to pass parameters with colons.

It's still not allowed to have a filename with a colon in it (ie
"foo:bar.png") -- to link to such a file, a fully qualified url must be
used.
2010-04-02 16:05:14 -04:00
Joey Hess 2ad3e60ee8 htmlscrubber: Security fix: In data:image/* uris, only allow a few whitelisted image types. No svg. 2010-03-12 14:50:26 -05:00
Joey Hess a63929f6cc Group related plugins into sections in the setup file, and drop unused rcs plugins from the setup file. 2010-02-11 22:24:15 -05:00
Joey Hess 678d467a40 finalise version 3.00 of the plugin api 2008-12-23 16:34:19 -05:00
Joey Hess bb93fccf06 Coding style change: Remove explcit vim folding markers. 2008-12-17 15:22:16 -05:00
Joey Hess 89256ab870 htmlscrubber: Add a config setting that can be used to disable the scrubber acting on a set of pages. 2008-09-26 18:07:37 -04:00
Joey Hess 903213e63f add plugin safe/rebuild info (part 1 of 2)
too many plugins.. brain exploding..
2008-08-03 16:40:12 -04:00
Adeodato Simó be0b4f603f Allow colons in URLs after the first slash
A new regexp fixes this bug:
http://ikiwiki.info/bugs/No_link_for_blog_items_when_filename_contains_a_colon/

I traced this down to htmlscrubber. If disabled,
it works. If enabled, then $safe_url_regexp
determines the URL unsafe because of the colon and
hence removes the src attribute.

Digging into this, I find that RFC 3986 pretty
much discourages colons in filenames:

"""
A path segment that contains a colon character
(e.g., "this:that") cannot be used as the first
segment of a relative-path reference, as it would
be mistaken for a scheme name. Such a segment must
be preceded by a dot-segment (e.g., "./this:that")
to make a relative- path reference.
"""

on the other hand, with usedirs, any link to
another page will be prepended by ../ anyway, so
that makes them okay again.

The solution still seems not to use colons.

In any case, htmlscrubber should get a new regexp,
courtesy of dato.

I have tested and verified this.

Signed-off-by: martin f. krafft <madduck@madduck.net>
2008-02-29 19:29:44 +01:00
Joey Hess c6fc554c54 use quotemeta when building the regexp 2008-02-10 19:02:12 -05:00
Josh Triplett 728dfd9595 Allow the smb: URI scheme. 2008-02-10 15:08:56 -08:00
Josh Triplett 502cd00ec7 Allow the snews: URI scheme. 2008-02-10 15:05:11 -08:00
Josh Triplett ec9d3ab549 Do not allow the steam: URI scheme. 2008-02-10 14:59:08 -08:00
Josh Triplett 3cda22a27f Match literal '.' in URI schemas containing '.', rather than matching any character 2008-02-10 14:50:30 -08:00
Joey Hess 4bfdbd4858 export $safe_url_regexp 2008-02-10 17:07:21 -05:00
Josh Triplett d20e24b636 Also filter the attributes cite, longdesc, and usemap, which can contain URIs 2008-02-10 13:59:37 -08:00
Joey Hess 2078f706d6 add parens around scheme regexp 2008-02-10 16:29:46 -05:00
Josh Triplett a7be7bdf56 Do not allow the about: URI scheme
Some browsers interpret about: URIs like a limited version of data:
URIs.  In particular, some versions of Internet Explorer interpret
arbitrary HTML content in about: URIs.
2008-02-10 13:23:28 -08:00
Joey Hess dfd6bb3854 fix data:image handling 2008-02-10 15:24:03 -05:00
Joey Hess d7e0c035e5 * htmlscrubber security fix: Block javascript in uris.
* Add htmlscrubber test suite.
2008-02-10 13:16:40 -05:00
Joey Hess 4c1a4402f9 * htmlscrubber: Further work around #365971 by adding tags for 'br/', 'hr/'
and 'p/'.
2008-01-07 18:32:50 -05:00
Joey Hess e016a975c4 * Allow html5 video and audio tags and their attributes in the htmlscrubber. 2007-11-18 13:34:06 -05:00
joey 03dc63588c on second thought, simple alphanumeric styles are not actually useful (class is already supported), and anything more complex is too hard to do, so revert 2007-07-11 17:57:02 +00:00
joey a8fa52080d * Allow simple alphanumeric style attribute values in the htmlscrubber. This
should be safe from javascript attacks.
2007-07-11 16:50:59 +00:00
joey ee1ad53c4c * pagespec_match() has changed to take named parameters, to better allow
for extended pagespecs. The old calling convention will still work for
  back-compat for now.
* The calling convention for functions in the IkiWiki::PageSpec namespace
  has changed so they are passed named parameters.
* Plugin interface version increased to 2.00 since I don't anticipate any
  more interface changes before 2.0.
2007-04-27 02:55:52 +00:00
joey 35ee7e44a6 * Make sure to check for errors from every eval. 2006-11-08 21:03:33 +00:00
joey dae0f48e91 * Work on firming up the plugin interface:
- Plugins should not need to load IkiWiki::Render to get commonly
    used functions, so moved some functions from there to IkiWiki.
  - Picked out the set of functions and variables that most plugins
    use, documented them, and made IkiWiki export them by default,
    like a proper perl module should.
  - Use the other functions at your own risk.
  - This is not quite complete, I still have to decide whether to
    export some other things.
* Changed all plugins included in ikiwiki to not use "IkiWiki::" when
  referring to stuff now exported by the IkiWiki module.
* Anyone with a third-party ikiwiki plugin is strongly enrouraged
  to make like changes to it and avoid use of non-exported symboles from
  "IkiWiki::".
* Link debian/changelog and debian/news to NEWS and CHANGELOG.
* Support hyperestradier version 1.4.2, which adds a new required phraseform
  setting.
2006-09-09 22:50:27 +00:00
joey 4895955cea * Change htmlize, format, and sanitize hooks to use named parameters. 2006-08-28 18:17:59 +00:00
joey 7f64dd4f66 * Tell HTML::Scrubber to treat "/" as a valid attribute which is its
very strange way of enabling proper XHTML <br /> type tags. Output html
  should be always valid again now.
2006-05-25 22:03:22 +00:00
joey 6652de5e1a * Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubber
and --disable-plugin htmlscrubber.
2006-05-05 05:41:11 +00:00