htmlscrubber: Security fix: In data:image/* uris, only allow a few whitelisted image types. No svg.

author: Joey Hess <joey@gnu.kitenet.net> 2010-03-12 14:49:13 -0500
committer: Joey Hess <joey@gnu.kitenet.net> 2010-03-12 14:50:26 -0500
commit: 2ad3e60ee8272b7cccfd83ae02d5b45e2cec003d (patch)
tree: ac6f6c025cb14790773f8530c6356dfa4c5b1b0c /IkiWiki/Plugin
parent: 556181d417e3461de56c43445ec9b2b0aefc7141 (diff)
download: ikiwiki-2ad3e60ee8272b7cccfd83ae02d5b45e2cec003d.tar
ikiwiki-2ad3e60ee8272b7cccfd83ae02d5b45e2cec003d.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index ee284a45c..26e18ffc7 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -30,9 +30,9 @@ sub import {
 		"msnim", "notes", "rsync", "secondlife", "skype", "ssh",
 		"sftp", "smb", "sms", "snews", "webcal", "ymsgr",
 	);
-	# data is a special case. Allow data:image/*, but
-	# disallow data:text/javascript and everything else.
-	$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i;
+	# data is a special case. Allow a few data:image/ types,
+	# but disallow data:text/javascript and everything else.
+	$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|\/))/i;
 }
 
 sub getsetup () {
author	Joey Hess <joey@gnu.kitenet.net>	2010-03-12 14:49:13 -0500
committer	Joey Hess <joey@gnu.kitenet.net>	2010-03-12 14:50:26 -0500
commit	2ad3e60ee8272b7cccfd83ae02d5b45e2cec003d (patch)
tree	ac6f6c025cb14790773f8530c6356dfa4c5b1b0c /IkiWiki/Plugin
parent	556181d417e3461de56c43445ec9b2b0aefc7141 (diff)
download	ikiwiki-2ad3e60ee8272b7cccfd83ae02d5b45e2cec003d.tar ikiwiki-2ad3e60ee8272b7cccfd83ae02d5b45e2cec003d.tar.gz