From d7e0c035e55e8b47a9ea7e993c9332a7ce9930e1 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 10 Feb 2008 13:16:40 -0500 Subject: [PATCH 1/1] * htmlscrubber security fix: Block javascript in uris. * Add htmlscrubber test suite. --- IkiWiki/Plugin/htmlscrubber.pm | 36 +++++++++++++++++++++++++++++----- debian/changelog | 4 ++++ doc/plugins/htmlscrubber.mdwn | 1 + t/htmlize.t | 24 +++++++++++++++++++++-- 4 files changed, 58 insertions(+), 7 deletions(-) diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm index bc613f924..25caa8a50 100644 --- a/IkiWiki/Plugin/htmlscrubber.pm +++ b/IkiWiki/Plugin/htmlscrubber.pm @@ -18,6 +18,28 @@ my $_scrubber; sub scrubber { #{{{ return $_scrubber if defined $_scrubber; + # Only known uri schemes are allowed to avoid all the ways of + # embedding javascrpt. + # List at http://en.wikipedia.org/wiki/URI_scheme + my $uri_schemes=join("|", + # IANA registered schemes + "http", "https", "ftp", "mailto", "file", "telnet", "gopher", + "aaa", "aaas", "acap", "cap", "cid", "crid", + "dav", "dict", "dns", "fax", "go", "h323", "im", "imap", + "ldap", "mid", "news", "nfs", "nntp", "pop", "pres", + "sip", "sips", "snmp", "tel", "urn", "wais", "xmpp", + "z39.50r", "z39.50s", + # data is a special case. Allow data:text/, but + # disallow data:text/javascript and everything else. + qr/data:text\/(?:png|gif|jpeg)/, + # Selected unofficial schemes + "about", "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg", + "irc", "ircs", "lastfm", "ldaps", "magnet", "mms", + "msnim", "notes", "rsync", "secondlife", "skype", "ssh", + "sftp", "sms", "steam", "webcal", "ymsgr", + ); + my $link=qr/^(?:$uri_schemes:|[^:]+$)/i; + eval q{use HTML::Scrubber}; error($@) if $@; # Lists based on http://feedparser.org/docs/html-sanitization.html @@ -35,23 +57,27 @@ sub scrubber { #{{{ }], default => [undef, { ( map { $_ => 1 } qw{ - abbr accept accept-charset accesskey action + abbr accept accept-charset accesskey align alt axis border cellpadding cellspacing char charoff charset checked cite class clear cols colspan color compact coords datetime dir disabled enctype for frame - headers height href hreflang hspace id ismap + headers height hreflang hspace id ismap label lang longdesc maxlength media method multiple name nohref noshade nowrap prompt readonly rel rev rows rowspan rules scope - selected shape size span src start summary + selected shape size span start summary tabindex target title type usemap valign value vspace width - poster autoplay loopstart loopend end + autoplay loopstart loopend end playcount controls } ), "/" => 1, # emit proper
XHTML - }], + href => $link, + src => $link, + action => $link, + poster => $link, + }], ); return $_scrubber; } # }}} diff --git a/debian/changelog b/debian/changelog index 420cef5ad..fb8d6bc5b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,10 @@ ikiwiki (2.40) UNRELEASED; urgency=low the underlay to support either setting of prefix_directives. Add NEWS entry with migration information. + [ Joey Hess ] + * htmlscrubber security fix: Block javascript in uris. + * Add htmlscrubber test suite. + -- Josh Triplett Sat, 09 Feb 2008 23:01:19 -0800 ikiwiki (2.31) unstable; urgency=low diff --git a/doc/plugins/htmlscrubber.mdwn b/doc/plugins/htmlscrubber.mdwn index 6ce297a86..d7bcf8099 100644 --- a/doc/plugins/htmlscrubber.mdwn +++ b/doc/plugins/htmlscrubber.mdwn @@ -36,3 +36,4 @@ plugin is active: * CSS script test * entity-encoded CSS script test * entity-encoded CSS script test +* click me diff --git a/t/htmlize.t b/t/htmlize.t index 9e2e3ec59..edf357010 100755 --- a/t/htmlize.t +++ b/t/htmlize.t @@ -1,7 +1,7 @@ #!/usr/bin/perl use warnings; use strict; -use Test::More tests => 16; +use Test::More tests => 26; use Encode; BEGIN { use_ok("IkiWiki"); } @@ -20,7 +20,6 @@ is(IkiWiki::htmlize("foo", "mdwn", readfile("t/test1.mdwn")), ok(IkiWiki::htmlize("foo", "mdwn", readfile("t/test2.mdwn")), "this file crashes markdown if it's fed in as decoded utf-8"); -# embedded javascript sanitisation tests sub gotcha { my $html=IkiWiki::htmlize("foo", "mdwn", shift); return $html =~ /GOTCHA/; @@ -41,10 +40,31 @@ ok(!gotcha(q{GOTCHA}), "script tag"); +ok(!gotcha(q{
foo
}), + "form action with javascript"); +ok(!gotcha(q{}), + "video poster with javascript"); ok(!gotcha(q{a}), "CSS script test"); +ok(! gotcha(q{}), + "data:text/javascript (jeez!)"); +ok(gotcha(q{}), "data:text/png"); +ok(gotcha(q{}), "data:text/gif"); +ok(gotcha(q{}), "data:text/jpeg"); ok(gotcha(q{

javascript:alert('GOTCHA')

}), "not javascript AFAIK (but perhaps some web browser would like to be perverse and assume it is?)"); ok(gotcha(q{}), "not javascript"); ok(gotcha(q{foo}), "not javascript"); +is(IkiWiki::htmlize("foo", "mdwn", + q{foo}), + q{foo}, "img with alt tag allowed"); +is(IkiWiki::htmlize("foo", "mdwn", + q{}), + q{}, "absolute url allowed"); +is(IkiWiki::htmlize("foo", "mdwn", + q{}), + q{}, "relative url allowed"); +is(IkiWiki::htmlize("foo", "mdwn", + q{bar}), + q{bar}, "class attribute allowed"); -- 2.45.1