From 2ad3e60ee8272b7cccfd83ae02d5b45e2cec003d Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Fri, 12 Mar 2010 14:49:13 -0500 Subject: htmlscrubber: Security fix: In data:image/* uris, only allow a few whitelisted image types. No svg. --- IkiWiki/Plugin/htmlscrubber.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'IkiWiki') diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm index ee284a45c..26e18ffc7 100644 --- a/IkiWiki/Plugin/htmlscrubber.pm +++ b/IkiWiki/Plugin/htmlscrubber.pm @@ -30,9 +30,9 @@ sub import { "msnim", "notes", "rsync", "secondlife", "skype", "ssh", "sftp", "smb", "sms", "snews", "webcal", "ymsgr", ); - # data is a special case. Allow data:image/*, but - # disallow data:text/javascript and everything else. - $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i; + # data is a special case. Allow a few data:image/ types, + # but disallow data:text/javascript and everything else. + $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|\/))/i; } sub getsetup () { -- cgit v1.2.3