| Commit message (Expand) | Author | Age |
|---|
| * | Fix htmlscrubber_skip to be matched on the source page, not the page it is in... | Joey Hess | 2010-11-12 |
| * | htmlscrubber: Do not scrub url anchors that contain colons. | Joey Hess | 2010-08-19 |
| * | enable hidden attribute | Joey Hess | 2010-05-01 |
| * | htmlscrubber: Also allow some other html5 tags: canvas, progress, meter, ruby... | Joey Hess | 2010-05-01 |
| * | more html5 attributes | Joey Hess | 2010-05-01 |
| * | add rest of html5 form attributes•••It's easy to imagine pattern being used to freeze or crash browsers, if
they implement it stupidly. Let's hope not..
| Joey Hess | 2010-05-01 |
| * | add figure and figcaption | Joey Hess | 2010-05-01 |
| * | htmlscrubber: Allow the html5 form attributes: placeholder autofocus, min, ma... | Joey Hess | 2010-05-01 |
| * | htmlscrubber: Allow the placeholder attribute. | Joey Hess | 2010-05-01 |
| * | more html5•••* htmlscrubber: Also allow html5 canvas tags.
* htmlscrubber: Round out html5 video support with the preload
attribute and the source tag.
| Joey Hess | 2010-05-01 |
| * | htmlscrubber: Allow html5 semantic tags: section nav article aside hgroup hea... | Joey Hess | 2010-05-01 |
| * | htmlscrubber: Allow colons in url fragments after '?'•••Colons are not allowed at the start of urls, because it can be interpreted
as a protocol, and allowing arbitrary protocols can be unsafe
(CVE-2008-0809). However, this check was too restrictive, not allowing
use of eg, "video.ogv?t=0:03:00/0:04:00" to seek to a given place in a
video, or "somecgi?foo=bar:baz" to pass parameters with colons.
It's still not allowed to have a filename with a colon in it (ie
"foo:bar.png") -- to link to such a file, a fully qualified url must be
used.
| Joey Hess | 2010-04-02 |
| * | htmlscrubber: Security fix: In data:image/* uris, only allow a few whiteliste... | Joey Hess | 2010-03-12 |
| * | Group related plugins into sections in the setup file, and drop unused rcs pl... | Joey Hess | 2010-02-11 |
| * | finalise version 3.00 of the plugin api | Joey Hess | 2008-12-23 |
| * | Coding style change: Remove explcit vim folding markers. | Joey Hess | 2008-12-17 |
| * | htmlscrubber: Add a config setting that can be used to disable the scrubber a... | Joey Hess | 2008-09-26 |
| * | add plugin safe/rebuild info (part 1 of 2)•••too many plugins.. brain exploding..
| Joey Hess | 2008-08-03 |
| * | Allow colons in URLs after the first slash•••A new regexp fixes this bug:
http://ikiwiki.info/bugs/No_link_for_blog_items_when_filename_contains_a_colon/
I traced this down to htmlscrubber. If disabled,
it works. If enabled, then $safe_url_regexp
determines the URL unsafe because of the colon and
hence removes the src attribute.
Digging into this, I find that RFC 3986 pretty
much discourages colons in filenames:
"""
A path segment that contains a colon character
(e.g., "this:that") cannot be used as the first
segment of a relative-path reference, as it would
be mistaken for a scheme name. Such a segment must
be preceded by a dot-segment (e.g., "./this:that")
to make a relative- path reference.
"""
on the other hand, with usedirs, any link to
another page will be prepended by ../ anyway, so
that makes them okay again.
The solution still seems not to use colons.
In any case, htmlscrubber should get a new regexp,
courtesy of dato.
I have tested and verified this.
Signed-off-by: martin f. krafft <madduck@madduck.net>
| Adeodato Simó | 2008-02-29 |
| * | use quotemeta when building the regexp | Joey Hess | 2008-02-10 |
| * | Allow the smb: URI scheme. | Josh Triplett | 2008-02-10 |
| * | Allow the snews: URI scheme. | Josh Triplett | 2008-02-10 |
| * | Do not allow the steam: URI scheme. | Josh Triplett | 2008-02-10 |
| * | Match literal '.' in URI schemas containing '.', rather than matching any cha... | Josh Triplett | 2008-02-10 |
| * | export $safe_url_regexp | Joey Hess | 2008-02-10 |
| * | Also filter the attributes cite, longdesc, and usemap, which can contain URIs | Josh Triplett | 2008-02-10 |
| * | add parens around scheme regexp | Joey Hess | 2008-02-10 |
| * | Do not allow the about: URI scheme•••Some browsers interpret about: URIs like a limited version of data:
URIs. In particular, some versions of Internet Explorer interpret
arbitrary HTML content in about: URIs.
| Josh Triplett | 2008-02-10 |
| * | fix data:image handling | Joey Hess | 2008-02-10 |
| * | * htmlscrubber security fix: Block javascript in uris.•••* Add htmlscrubber test suite.
| Joey Hess | 2008-02-10 |
| * | * htmlscrubber: Further work around #365971 by adding tags for 'br/', 'hr/'••• and 'p/'.
| Joey Hess | 2008-01-07 |
| * | * Allow html5 video and audio tags and their attributes in the htmlscrubber. | Joey Hess | 2007-11-18 |
| * | on second thought, simple alphanumeric styles are not actually useful (class ... | joey | 2007-07-11 |
| * | * Allow simple alphanumeric style attribute values in the htmlscrubber. This••• should be safe from javascript attacks.
| joey | 2007-07-11 |
| * | * pagespec_match() has changed to take named parameters, to better allow••• for extended pagespecs. The old calling convention will still work for
back-compat for now.
* The calling convention for functions in the IkiWiki::PageSpec namespace
has changed so they are passed named parameters.
* Plugin interface version increased to 2.00 since I don't anticipate any
more interface changes before 2.0.
| joey | 2007-04-27 |
| * | * Make sure to check for errors from every eval. | joey | 2006-11-08 |
| * | * Work on firming up the plugin interface:••• - Plugins should not need to load IkiWiki::Render to get commonly
used functions, so moved some functions from there to IkiWiki.
- Picked out the set of functions and variables that most plugins
use, documented them, and made IkiWiki export them by default,
like a proper perl module should.
- Use the other functions at your own risk.
- This is not quite complete, I still have to decide whether to
export some other things.
* Changed all plugins included in ikiwiki to not use "IkiWiki::" when
referring to stuff now exported by the IkiWiki module.
* Anyone with a third-party ikiwiki plugin is strongly enrouraged
to make like changes to it and avoid use of non-exported symboles from
"IkiWiki::".
* Link debian/changelog and debian/news to NEWS and CHANGELOG.
* Support hyperestradier version 1.4.2, which adds a new required phraseform
setting.
| joey | 2006-09-09 |
| * | * Change htmlize, format, and sanitize hooks to use named parameters. | joey | 2006-08-28 |
| * | * Tell HTML::Scrubber to treat "/" as a valid attribute which is its••• very strange way of enabling proper XHTML <br /> type tags. Output html
should be always valid again now.
| joey | 2006-05-25 |
| * | * Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubber••• and --disable-plugin htmlscrubber.
| joey | 2006-05-05 |