aboutsummaryrefslogtreecommitdiff
path: root/IkiWiki/Plugin/htmlscrubber.pm
Commit message (Collapse)AuthorAge
* htmlscrubber: Do not scrub url anchors that contain colons.Joey Hess2010-08-19
|
* enable hidden attributeJoey Hess2010-05-01
|
* htmlscrubber: Also allow some other html5 tags: canvas, progress, meter, ↵Joey Hess2010-05-01
| | | | ruby, rt, rp, details, summary.
* more html5 attributesJoey Hess2010-05-01
|
* add rest of html5 form attributesJoey Hess2010-05-01
| | | | | It's easy to imagine pattern being used to freeze or crash browsers, if they implement it stupidly. Let's hope not..
* add figure and figcaptionJoey Hess2010-05-01
|
* htmlscrubber: Allow the html5 form attributes: placeholder autofocus, min, ↵Joey Hess2010-05-01
| | | | max, step.
* htmlscrubber: Allow the placeholder attribute.Joey Hess2010-05-01
|
* more html5Joey Hess2010-05-01
| | | | | | * htmlscrubber: Also allow html5 canvas tags. * htmlscrubber: Round out html5 video support with the preload attribute and the source tag.
* htmlscrubber: Allow html5 semantic tags: section nav article aside hgroup ↵Joey Hess2010-05-01
| | | | header footer time mark
* htmlscrubber: Allow colons in url fragments after '?'Joey Hess2010-04-02
| | | | | | | | | | | | Colons are not allowed at the start of urls, because it can be interpreted as a protocol, and allowing arbitrary protocols can be unsafe (CVE-2008-0809). However, this check was too restrictive, not allowing use of eg, "video.ogv?t=0:03:00/0:04:00" to seek to a given place in a video, or "somecgi?foo=bar:baz" to pass parameters with colons. It's still not allowed to have a filename with a colon in it (ie "foo:bar.png") -- to link to such a file, a fully qualified url must be used.
* htmlscrubber: Security fix: In data:image/* uris, only allow a few ↵Joey Hess2010-03-12
| | | | whitelisted image types. No svg.
* Group related plugins into sections in the setup file, and drop unused rcs ↵Joey Hess2010-02-11
| | | | plugins from the setup file.
* finalise version 3.00 of the plugin apiJoey Hess2008-12-23
|
* Coding style change: Remove explcit vim folding markers.Joey Hess2008-12-17
|
* htmlscrubber: Add a config setting that can be used to disable the scrubber ↵Joey Hess2008-09-26
| | | | acting on a set of pages.
* add plugin safe/rebuild info (part 1 of 2)Joey Hess2008-08-03
| | | | too many plugins.. brain exploding..
* Allow colons in URLs after the first slashAdeodato Simó2008-02-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A new regexp fixes this bug: http://ikiwiki.info/bugs/No_link_for_blog_items_when_filename_contains_a_colon/ I traced this down to htmlscrubber. If disabled, it works. If enabled, then $safe_url_regexp determines the URL unsafe because of the colon and hence removes the src attribute. Digging into this, I find that RFC 3986 pretty much discourages colons in filenames: """ A path segment that contains a colon character (e.g., "this:that") cannot be used as the first segment of a relative-path reference, as it would be mistaken for a scheme name. Such a segment must be preceded by a dot-segment (e.g., "./this:that") to make a relative- path reference. """ on the other hand, with usedirs, any link to another page will be prepended by ../ anyway, so that makes them okay again. The solution still seems not to use colons. In any case, htmlscrubber should get a new regexp, courtesy of dato. I have tested and verified this. Signed-off-by: martin f. krafft <madduck@madduck.net>
* use quotemeta when building the regexpJoey Hess2008-02-10
|
* Allow the smb: URI scheme.Josh Triplett2008-02-10
|
* Allow the snews: URI scheme.Josh Triplett2008-02-10
|
* Do not allow the steam: URI scheme.Josh Triplett2008-02-10
|
* Match literal '.' in URI schemas containing '.', rather than matching any ↵Josh Triplett2008-02-10
| | | | character
* export $safe_url_regexpJoey Hess2008-02-10
|
* Also filter the attributes cite, longdesc, and usemap, which can contain URIsJosh Triplett2008-02-10
|
* add parens around scheme regexpJoey Hess2008-02-10
|
* Do not allow the about: URI schemeJosh Triplett2008-02-10
| | | | | | Some browsers interpret about: URIs like a limited version of data: URIs. In particular, some versions of Internet Explorer interpret arbitrary HTML content in about: URIs.
* fix data:image handlingJoey Hess2008-02-10
|
* * htmlscrubber security fix: Block javascript in uris.Joey Hess2008-02-10
| | | | * Add htmlscrubber test suite.
* * htmlscrubber: Further work around #365971 by adding tags for 'br/', 'hr/'Joey Hess2008-01-07
| | | | and 'p/'.
* * Allow html5 video and audio tags and their attributes in the htmlscrubber.Joey Hess2007-11-18
|
* on second thought, simple alphanumeric styles are not actually useful (class ↵joey2007-07-11
| | | | is already supported), and anything more complex is too hard to do, so revert
* * Allow simple alphanumeric style attribute values in the htmlscrubber. Thisjoey2007-07-11
| | | | should be safe from javascript attacks.
* * pagespec_match() has changed to take named parameters, to better allowjoey2007-04-27
| | | | | | | | | for extended pagespecs. The old calling convention will still work for back-compat for now. * The calling convention for functions in the IkiWiki::PageSpec namespace has changed so they are passed named parameters. * Plugin interface version increased to 2.00 since I don't anticipate any more interface changes before 2.0.
* * Make sure to check for errors from every eval.joey2006-11-08
|
* * Work on firming up the plugin interface:joey2006-09-09
| | | | | | | | | | | | | | | | | | | - Plugins should not need to load IkiWiki::Render to get commonly used functions, so moved some functions from there to IkiWiki. - Picked out the set of functions and variables that most plugins use, documented them, and made IkiWiki export them by default, like a proper perl module should. - Use the other functions at your own risk. - This is not quite complete, I still have to decide whether to export some other things. * Changed all plugins included in ikiwiki to not use "IkiWiki::" when referring to stuff now exported by the IkiWiki module. * Anyone with a third-party ikiwiki plugin is strongly enrouraged to make like changes to it and avoid use of non-exported symboles from "IkiWiki::". * Link debian/changelog and debian/news to NEWS and CHANGELOG. * Support hyperestradier version 1.4.2, which adds a new required phraseform setting.
* * Change htmlize, format, and sanitize hooks to use named parameters.joey2006-08-28
|
* * Tell HTML::Scrubber to treat "/" as a valid attribute which is itsjoey2006-05-25
| | | | | very strange way of enabling proper XHTML <br /> type tags. Output html should be always valid again now.
* * Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubberjoey2006-05-05
and --disable-plugin htmlscrubber.
generated by cgit v1.2.3 (git 2.25.4) at 2024-09-30 13:55:43 +0000