fix data:image handling

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index 25caa8a506cdf5ab8ea0c9b0d3e9e935f62bd6f8..634674b9c91b858f1e72c0fd6b949f18046ef183 100644 (file)
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -29,16 +29,15 @@ sub scrubber { #{{{
                "ldap", "mid", "news", "nfs", "nntp", "pop", "pres",
                "sip", "sips", "snmp", "tel", "urn", "wais", "xmpp",
                "z39.50r", "z39.50s",
                "ldap", "mid", "news", "nfs", "nntp", "pop", "pres",
                "sip", "sips", "snmp", "tel", "urn", "wais", "xmpp",
                "z39.50r", "z39.50s",

-               # data is a special case. Allow data:text/<image>, but
-               # disallow data:text/javascript and everything else.
-               qr/data:text\/(?:png|gif|jpeg)/,

                # Selected unofficial schemes
                "about", "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg",
                "irc", "ircs", "lastfm", "ldaps", "magnet", "mms",
                "msnim", "notes", "rsync", "secondlife", "skype", "ssh",
                "sftp", "sms", "steam", "webcal", "ymsgr",
        );
                # Selected unofficial schemes
                "about", "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg",
                "irc", "ircs", "lastfm", "ldaps", "magnet", "mms",
                "msnim", "notes", "rsync", "secondlife", "skype", "ssh",
                "sftp", "sms", "steam", "webcal", "ymsgr",
        );

-       my $link=qr/^(?:$uri_schemes:|[^:]+$)/i;
+       # data is a special case. Allow data:image/*, but
+       # disallow data:text/javascript and everything else.
+       my $link=qr/^(?:$uri_schemes:|data:image\/|[^:]+$)/i;

 
        eval q{use HTML::Scrubber};
        error($@) if $@;
 
        eval q{use HTML::Scrubber};
        error($@) if $@;

diff --git a/t/htmlize.t b/t/htmlize.t
index edf357010a0b551b58f895908cfd1858bc9e5f95..b19dbcf688c0a80e4b886faf60a57f05ef15ec73 100755 (executable)
--- a/t/htmlize.t
+++ b/t/htmlize.t
@@ -46,11 +46,11 @@ ok(!gotcha(q{<video poster="javascript:alert('GOTCHA')" href="foo.avi">foo</vide
        "video poster with javascript");
 ok(!gotcha(q{<span style="background: url(javascript:window.location=GOTCHA)">a</span>}),
        "CSS script test");
        "video poster with javascript");
 ok(!gotcha(q{<span style="background: url(javascript:window.location=GOTCHA)">a</span>}),
        "CSS script test");

-ok(! gotcha(q{<img src="data:text/javascript:GOTCHA">}),
+ok(! gotcha(q{<img src="data:text/javascript;GOTCHA">}),

        "data:text/javascript (jeez!)");
        "data:text/javascript (jeez!)");

-ok(gotcha(q{<img src="data:text/png:GOTCHA">}), "data:text/png");
-ok(gotcha(q{<img src="data:text/gif:GOTCHA">}), "data:text/gif");
-ok(gotcha(q{<img src="data:text/jpeg:GOTCHA">}), "data:text/jpeg");
+ok(gotcha(q{<img src="data:image/png;base64,GOTCHA">}), "data:image/png");
+ok(gotcha(q{<img src="data:image/gif;base64,GOTCHA">}), "data:image/gif");
+ok(gotcha(q{<img src="data:image/jpeg;base64,GOTCHA">}), "data:image/jpeg");

 ok(gotcha(q{<p>javascript:alert('GOTCHA')</p>}),
        "not javascript AFAIK (but perhaps some web browser would like to
        be perverse and assume it is?)");
 ok(gotcha(q{<p>javascript:alert('GOTCHA')</p>}),
        "not javascript AFAIK (but perhaps some web browser would like to
        be perverse and assume it is?)");