Provide a UUID in edittemplate templates.
[ikiwiki.git] / IkiWiki / Plugin / htmlscrubber.pm
1 #!/usr/bin/perl
2 package IkiWiki::Plugin::htmlscrubber;
3
4 use warnings;
5 use strict;
6 use IkiWiki 3.00;
7
8 # This regexp matches urls that are in a known safe scheme.
9 # Feel free to use it from other plugins.
10 our $safe_url_regexp;
11
12 sub import {
13         hook(type => "getsetup", id => "htmlscrubber", call => \&getsetup);
14         hook(type => "sanitize", id => "htmlscrubber", call => \&sanitize);
15
16         # Only known uri schemes are allowed to avoid all the ways of
17         # embedding javascrpt.
18         # List at http://en.wikipedia.org/wiki/URI_scheme
19         my $uri_schemes=join("|", map quotemeta,
20                 # IANA registered schemes
21                 "http", "https", "ftp", "mailto", "file", "telnet", "gopher",
22                 "aaa", "aaas", "acap",  "cap", "cid", "crid", 
23                 "dav", "dict", "dns", "fax", "go", "h323", "im", "imap",
24                 "ldap", "mid", "news", "nfs", "nntp", "pop", "pres",
25                 "sip", "sips", "snmp", "tel", "urn", "wais", "xmpp",
26                 "z39.50r", "z39.50s",
27                 # Selected unofficial schemes
28                 "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg",
29                 "irc", "ircs", "lastfm", "ldaps", "magnet", "mms",
30                 "msnim", "notes", "rsync", "secondlife", "skype", "ssh",
31                 "sftp", "smb", "sms", "snews", "webcal", "ymsgr",
32                 "bitcoin", "git", "svn", "bzr", "darcs", "hg"
33         );
34         # data is a special case. Allow a few data:image/ types,
35         # but disallow data:text/javascript and everything else.
36         $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|[\/\?#]))|^#/i;
37 }
38
39 sub getsetup () {
40         return
41                 plugin => {
42                         safe => 1,
43                         rebuild => undef,
44                         section => "core",
45                 },
46                 htmlscrubber_skip => {
47                         type => "pagespec",
48                         example => "!*/Discussion",
49                         description => "PageSpec specifying pages not to scrub",
50                         link => "ikiwiki/PageSpec",
51                         safe => 1,
52                         rebuild => undef,
53                 },
54 }
55
56 sub sanitize (@) {
57         my %params=@_;
58
59         if (exists $config{htmlscrubber_skip} &&
60             length $config{htmlscrubber_skip} &&
61             exists $params{page} &&
62             pagespec_match($params{page}, $config{htmlscrubber_skip})) {
63                 return $params{content};
64         }
65
66         return scrubber()->scrub($params{content});
67 }
68
69 my $_scrubber;
70 sub scrubber {
71         return $_scrubber if defined $_scrubber;
72
73         eval q{use HTML::Scrubber};
74         error($@) if $@;
75         # Lists based on http://feedparser.org/docs/html-sanitization.html
76         # With html5 tags added.
77         $_scrubber = HTML::Scrubber->new(
78                 allow => [qw{
79                         a abbr acronym address area b big blockquote br br/
80                         button caption center cite code col colgroup dd del
81                         dfn dir div dl dt em fieldset font form h1 h2 h3 h4
82                         h5 h6 hr hr/ i img input ins kbd label legend li map
83                         menu ol optgroup option p p/ pre q s samp select small
84                         span strike strong sub sup table tbody td textarea
85                         tfoot th thead tr tt u ul var
86
87                         video audio source section nav article aside hgroup
88                         header footer figure figcaption time mark canvas
89                         datalist progress meter ruby rt rp details summary
90                 }],
91                 default => [undef, { (
92                         map { $_ => 1 } qw{
93                                 abbr accept accept-charset accesskey
94                                 align alt axis border cellpadding cellspacing
95                                 char charoff charset checked class
96                                 clear cols colspan color compact coords
97                                 datetime dir disabled enctype for frame
98                                 headers height hreflang hspace id ismap
99                                 label lang maxlength media method
100                                 multiple name nohref noshade nowrap prompt
101                                 readonly rel rev rows rowspan rules scope
102                                 selected shape size span start summary
103                                 tabindex target title type valign
104                                 value vspace width
105
106                                 autofocus autoplay preload loopstart
107                                 loopend end playcount controls pubdate
108                                 placeholder min max step low high optimum
109                                 form required autocomplete novalidate pattern
110                                 list formenctype formmethod formnovalidate
111                                 formtarget reversed spellcheck open hidden
112                         } ),
113                         "/" => 1, # emit proper <hr /> XHTML
114                         href => $safe_url_regexp,
115                         src => $safe_url_regexp,
116                         action => $safe_url_regexp,
117                         formaction => $safe_url_regexp,
118                         cite => $safe_url_regexp,
119                         longdesc => $safe_url_regexp,
120                         poster => $safe_url_regexp,
121                         usemap => $safe_url_regexp,
122                 }],
123         );
124         return $_scrubber;
125 }
126
127 1