diff options
| -rw-r--r-- | IkiWiki/Plugin/htmlscrubber.pm | 7 | ||||
| -rwxr-xr-x | t/htmlize.t | 8 |
2 files changed, 7 insertions, 8 deletions
diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm index 25caa8a50..634674b9c 100644 --- a/IkiWiki/Plugin/htmlscrubber.pm +++ b/IkiWiki/Plugin/htmlscrubber.pm @@ -29,16 +29,15 @@ sub scrubber { #{{{ "ldap", "mid", "news", "nfs", "nntp", "pop", "pres", "sip", "sips", "snmp", "tel", "urn", "wais", "xmpp", "z39.50r", "z39.50s", - # data is a special case. Allow data:text/<image>, but - # disallow data:text/javascript and everything else. - qr/data:text\/(?:png|gif|jpeg)/, # Selected unofficial schemes "about", "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg", "irc", "ircs", "lastfm", "ldaps", "magnet", "mms", "msnim", "notes", "rsync", "secondlife", "skype", "ssh", "sftp", "sms", "steam", "webcal", "ymsgr", ); - my $link=qr/^(?:$uri_schemes:|[^:]+$)/i; + # data is a special case. Allow data:image/*, but + # disallow data:text/javascript and everything else. + my $link=qr/^(?:$uri_schemes:|data:image\/|[^:]+$)/i; eval q{use HTML::Scrubber}; error($@) if $@; diff --git a/t/htmlize.t b/t/htmlize.t index edf357010..b19dbcf68 100755 --- a/t/htmlize.t +++ b/t/htmlize.t @@ -46,11 +46,11 @@ ok(!gotcha(q{<video poster="javascript:alert('GOTCHA')" href="foo.avi">foo</vide "video poster with javascript"); ok(!gotcha(q{<span style="background: url(javascript:window.location=GOTCHA)">a</span>}), "CSS script test"); -ok(! gotcha(q{<img src="data:text/javascript:GOTCHA">}), +ok(! gotcha(q{<img src="data:text/javascript;GOTCHA">}), "data:text/javascript (jeez!)"); -ok(gotcha(q{<img src="data:text/png:GOTCHA">}), "data:text/png"); -ok(gotcha(q{<img src="data:text/gif:GOTCHA">}), "data:text/gif"); -ok(gotcha(q{<img src="data:text/jpeg:GOTCHA">}), "data:text/jpeg"); +ok(gotcha(q{<img src="data:image/png;base64,GOTCHA">}), "data:image/png"); +ok(gotcha(q{<img src="data:image/gif;base64,GOTCHA">}), "data:image/gif"); +ok(gotcha(q{<img src="data:image/jpeg;base64,GOTCHA">}), "data:image/jpeg"); ok(gotcha(q{<p>javascript:alert('GOTCHA')</p>}), "not javascript AFAIK (but perhaps some web browser would like to be perverse and assume it is?)"); |