use strict;
use IkiWiki 2.00;
+# This regexp matches urls that are in a known safe scheme.
+# Feel free to use it from other plugins.
+our $safe_url_regexp;
+
sub import { #{{{
hook(type => "sanitize", id => "htmlscrubber", call => \&sanitize);
-} # }}}
-
-sub sanitize (@) { #{{{
- my %params=@_;
- return scrubber()->scrub($params{content});
-} # }}}
-my $_scrubber;
-sub scrubber { #{{{
- return $_scrubber if defined $_scrubber;
-
# Only known uri schemes are allowed to avoid all the ways of
# embedding javascrpt.
# List at http://en.wikipedia.org/wiki/URI_scheme
- my $uri_schemes=join("|",
+ my $uri_schemes=join("|", map quotemeta,
# IANA registered schemes
"http", "https", "ftp", "mailto", "file", "telnet", "gopher",
"aaa", "aaas", "acap", "cap", "cid", "crid",
"sip", "sips", "snmp", "tel", "urn", "wais", "xmpp",
"z39.50r", "z39.50s",
# Selected unofficial schemes
- "about", "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg",
+ "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg",
"irc", "ircs", "lastfm", "ldaps", "magnet", "mms",
"msnim", "notes", "rsync", "secondlife", "skype", "ssh",
- "sftp", "sms", "steam", "webcal", "ymsgr",
+ "sftp", "smb", "sms", "snews", "webcal", "ymsgr",
);
# data is a special case. Allow data:image/*, but
# disallow data:text/javascript and everything else.
- my $link=qr/^(?:$uri_schemes:|data:image\/|[^:]+$)/i;
+ $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i;
+} # }}}
+
+sub sanitize (@) { #{{{
+ my %params=@_;
+ return scrubber()->scrub($params{content});
+} # }}}
+
+my $_scrubber;
+sub scrubber { #{{{
+ return $_scrubber if defined $_scrubber;
eval q{use HTML::Scrubber};
error($@) if $@;
map { $_ => 1 } qw{
abbr accept accept-charset accesskey
align alt axis border cellpadding cellspacing
- char charoff charset checked cite class
+ char charoff charset checked class
clear cols colspan color compact coords
datetime dir disabled enctype for frame
headers height hreflang hspace id ismap
- label lang longdesc maxlength media method
+ label lang maxlength media method
multiple name nohref noshade nowrap prompt
readonly rel rev rows rowspan rules scope
selected shape size span start summary
- tabindex target title type usemap valign
+ tabindex target title type valign
value vspace width
autoplay loopstart loopend end
playcount controls
} ),
"/" => 1, # emit proper <hr /> XHTML
- href => $link,
- src => $link,
- action => $link,
- poster => $link,
+ href => $safe_url_regexp,
+ src => $safe_url_regexp,
+ action => $safe_url_regexp,
+ cite => $safe_url_regexp,
+ longdesc => $safe_url_regexp,
+ poster => $safe_url_regexp,
+ usemap => $safe_url_regexp,
}],
);
return $_scrubber;
sipb-www / ikiwiki.git / blobdiff