diff options
author | joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2007-07-11 16:50:59 +0000 |
---|---|---|
committer | joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2007-07-11 16:50:59 +0000 |
commit | a8fa52080d8ba1df29543df5c6180b620cae59f6 (patch) | |
tree | b2ec8831da7c39c6ce256b16602274f895e91e87 /IkiWiki/Plugin | |
parent | 68ae662e6fdca019adffbc59ca27418eb39de8da (diff) | |
download | ikiwiki-a8fa52080d8ba1df29543df5c6180b620cae59f6.tar ikiwiki-a8fa52080d8ba1df29543df5c6180b620cae59f6.tar.gz |
* Allow simple alphanumeric style attribute values in the htmlscrubber. This
should be safe from javascript attacks.
Diffstat (limited to 'IkiWiki/Plugin')
-rw-r--r-- | IkiWiki/Plugin/htmlscrubber.pm | 35 |
1 files changed, 20 insertions, 15 deletions
diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm index c5b08f604..489827167 100644 --- a/IkiWiki/Plugin/htmlscrubber.pm +++ b/IkiWiki/Plugin/htmlscrubber.pm @@ -31,21 +31,26 @@ sub scrubber { #{{{ span strike strong sub sup table tbody td textarea tfoot th thead tr tt u ul var }], - default => [undef, { map { $_ => 1 } qw{ - abbr accept accept-charset accesskey action - align alt axis border cellpadding cellspacing - char charoff charset checked cite class - clear cols colspan color compact coords - datetime dir disabled enctype for frame - headers height href hreflang hspace id ismap - label lang longdesc maxlength media method - multiple name nohref noshade nowrap prompt - readonly rel rev rows rowspan rules scope - selected shape size span src start summary - tabindex target title type usemap valign - value vspace width - }, "/" => 1, # emit proper <hr /> XHTML - }], + default => [undef, { ( + map { $_ => 1 } qw{ + abbr accept accept-charset accesskey action + align alt axis border cellpadding cellspacing + char charoff charset checked cite class + clear cols colspan color compact coords + datetime dir disabled enctype for frame + headers height href hreflang hspace id ismap + label lang longdesc maxlength media method + multiple name nohref noshade nowrap prompt + readonly rel rev rows rowspan rules scope + selected shape size span src start summary + tabindex target title type usemap valign + value vspace width + } ), + "/" => 1, # emit proper <hr /> XHTML + "style" => qr{^[-a-zA-Z0-9]+$}, # only very simple + # references allowed, + # to avoid javascript + }], ); return $_scrubber; } # }}} |