htmlscrubber: Security fix: In data:image/* uris, only allow a few whitelisted image...

[ikiwiki.git] / IkiWiki / Plugin / htmlscrubber.pm

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index 823b3d806cf1c51ae2eec5b715ff2991f7c79b3d..26e18ffc753c537158ceb86cca80d03f5b1cca2e 100644 (file)
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -3,7 +3,7 @@ package IkiWiki::Plugin::htmlscrubber;
 
 use warnings;
 use strict;
-use IkiWiki 2.00;
+use IkiWiki 3.00;
 
 # This regexp matches urls that are in a known safe scheme.
 # Feel free to use it from other plugins.
@@ -30,9 +30,9 @@ sub import {
                "msnim", "notes", "rsync", "secondlife", "skype", "ssh",
                "sftp", "smb", "sms", "snews", "webcal", "ymsgr",
        );
-       # data is a special case. Allow data:image/*, but
-       # disallow data:text/javascript and everything else.
-       $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i;
+       # data is a special case. Allow a few data:image/ types,
+       # but disallow data:text/javascript and everything else.
+       $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|\/))/i;
 }
 
 sub getsetup () {
@@ -40,6 +40,7 @@ sub getsetup () {
                plugin => {
                        safe => 1,
                        rebuild => undef,
+                       section => "core",
                },
                htmlscrubber_skip => {
                        type => "pagespec",