]> sipb.mit.edu Git - ikiwiki.git/blobdiff - IkiWiki/Plugin/htmlscrubber.pm
sipb-www / ikiwiki.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
htmlscrubber: Security fix: In data:image/* uris, only allow a few whitelisted image...
[ikiwiki.git] / IkiWiki / Plugin / htmlscrubber.pm
diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index a249cdf7a43b2986b5ca519f88c01cc6fcf85141..26e18ffc753c537158ceb86cca80d03f5b1cca2e 100644 (file)
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -30,9 +30,9 @@ sub import {
                "msnim", "notes", "rsync", "secondlife", "skype", "ssh",
                "sftp", "smb", "sms", "snews", "webcal", "ymsgr",
        );
-       # data is a special case. Allow data:image/*, but
-       # disallow data:text/javascript and everything else.
-       $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i;
+       # data is a special case. Allow a few data:image/ types,
+       # but disallow data:text/javascript and everything else.
+       $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|\/))/i;
 }
 
 sub getsetup () {
@@ -40,6 +40,7 @@ sub getsetup () {
                plugin => {
                        safe => 1,
                        rebuild => undef,
+                       section => "core",
                },
                htmlscrubber_skip => {
                        type => "pagespec",
wiki compiler