aboutsummaryrefslogtreecommitdiff
path: root/doc/todo/svg.mdwn
blob: 0a15af4cd66d0171ebe2b63ec269e6f4e4f1c00e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
We should support SVG.  In particular:

* We could support rendering SVGs to PNGs when compiling the wiki.  Not all browsers support SVG yet.

* We could support editing SVGs via the web interface.  SVG can contain unsafe content such as scripting, so we would need to whitelist safe markup.

--[[JoshTriplett]]

[[wishlist]]

I'm allowing for inline SVG on my own installation.  I've patched my
copy of htmlscrubber.pm to allow safe MathML and SVG elements (as
implemented in html5lib).  <del datetime="2008-03-20T23:04-05:00">Here's a patch
if anyone else is interested.</del>
<ins datetime="2008-03-20T23:05-05:00">Actually, that patch wasn't quite
right.  I'll post a new one when it's working properly.</ins> --[[JasonBlevins]]

* * *

I'd like to hear what people think about the following:

1. Including whitelists of elements and attributes for SVG and MathML in
   htmlscrubber.

2. Creating a whitelist of safe SVG (and maybe even HTML) style
   attributes such as `fill`, `stroke-width`, etc.

   This is how the [sanitizer][] in html5lib works.  It shouldn't be too
   hard to translate the relevant parts to Perl.

   --[[JasonBlevins]], March 21, 2008 11:39 EDT

[sanitizer]: http://code.google.com/p/html5lib/source/browse/trunk/ruby/lib/html5/sanitizer.rb

* * * 

Another problem is that [HTML::Scrubber][] converts all tags to lowercase.
Some SVG elements, such as viewBox, are mixed case.  It seems that
properly handling SVG might require moving to a different sanitizer.
It seems that [HTML::Sanitizer][] has functions for sanitizing XHTML.
Any thoughts? --[[JasonBlevins]], March 21, 2008 13:54 EDT

[HTML::Scrubber]: http://search.cpan.org/~podmaster/HTML-Scrubber-0.08/Scrubber.pm
[HTML::Sanitizer]: http://search.cpan.org/~nesting/HTML-Sanitizer-0.04/Sanitizer.pm

I figured out a quick hack to make HTML::Scrubber case-sensitive by
making the underlying HTML::Parser case-sensitive:

    $_scrubber->{_p}->case_sensitive(1);

So now I've got a version of [htmlscrubber.pm][] ([diff][])
which allows safe SVG and MathML elements and attributes (but no
styles&mdash;do we need them?).  I'd be thrilled to see this
in the trunk if other people think it's useful.
--[[JasonBlevins]], March 24, 2008 14:56 EDT

[htmlscrubber.pm]:http://xbeta.org/gitweb/?p=xbeta/ikiwiki.git;a=blob;f=IkiWiki/Plugin/htmlscrubber.pm;h=3c0ddc8f25bd8cb863634a9d54b40e299e60f7df;hb=fe333c8e5b4a5f374a059596ee698dacd755182d
[diff]: http://xbeta.org/gitweb/?p=xbeta/ikiwiki.git;a=blobdiff;f=IkiWiki/Plugin/htmlscrubber.pm;h=3c0ddc8f25bd8cb863634a9d54b40e299e60f7df;hp=3bdaccea119ec0e1b289a0da2f6d90e2219b8d66;hb=fe333c8e5b4a5f374a059596ee698dacd755182d;hpb=be0b4f603f918444b906e42825908ddac78b7073