summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess <joey@kodama.kitenet.net>2008-02-10 15:24:03 -0500
committerJoey Hess <joey@kodama.kitenet.net>2008-02-10 15:24:03 -0500
commitdfd6bb3854c737131b40deba1c6b7b5d7ef2083e (patch)
tree62f2b6f68e3c9d73d17c5f6182a72caf4c38c7a2
parent852994d950f09748a022a65f94af59f7cafb6df8 (diff)
fix data:image handling
-rw-r--r--IkiWiki/Plugin/htmlscrubber.pm7
-rwxr-xr-xt/htmlize.t8
2 files changed, 7 insertions, 8 deletions
diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index 25caa8a50..634674b9c 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -29,16 +29,15 @@ sub scrubber { #{{{
"ldap", "mid", "news", "nfs", "nntp", "pop", "pres",
"sip", "sips", "snmp", "tel", "urn", "wais", "xmpp",
"z39.50r", "z39.50s",
- # data is a special case. Allow data:text/<image>, but
- # disallow data:text/javascript and everything else.
- qr/data:text\/(?:png|gif|jpeg)/,
# Selected unofficial schemes
"about", "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg",
"irc", "ircs", "lastfm", "ldaps", "magnet", "mms",
"msnim", "notes", "rsync", "secondlife", "skype", "ssh",
"sftp", "sms", "steam", "webcal", "ymsgr",
);
- my $link=qr/^(?:$uri_schemes:|[^:]+$)/i;
+ # data is a special case. Allow data:image/*, but
+ # disallow data:text/javascript and everything else.
+ my $link=qr/^(?:$uri_schemes:|data:image\/|[^:]+$)/i;
eval q{use HTML::Scrubber};
error($@) if $@;
diff --git a/t/htmlize.t b/t/htmlize.t
index edf357010..b19dbcf68 100755
--- a/t/htmlize.t
+++ b/t/htmlize.t
@@ -46,11 +46,11 @@ ok(!gotcha(q{<video poster="javascript:alert('GOTCHA')" href="foo.avi">foo</vide
"video poster with javascript");
ok(!gotcha(q{<span style="background: url(javascript:window.location=GOTCHA)">a</span>}),
"CSS script test");
-ok(! gotcha(q{<img src="data:text/javascript:GOTCHA">}),
+ok(! gotcha(q{<img src="data:text/javascript;GOTCHA">}),
"data:text/javascript (jeez!)");
-ok(gotcha(q{<img src="data:text/png:GOTCHA">}), "data:text/png");
-ok(gotcha(q{<img src="data:text/gif:GOTCHA">}), "data:text/gif");
-ok(gotcha(q{<img src="data:text/jpeg:GOTCHA">}), "data:text/jpeg");
+ok(gotcha(q{<img src="data:image/png;base64,GOTCHA">}), "data:image/png");
+ok(gotcha(q{<img src="data:image/gif;base64,GOTCHA">}), "data:image/gif");
+ok(gotcha(q{<img src="data:image/jpeg;base64,GOTCHA">}), "data:image/jpeg");
ok(gotcha(q{<p>javascript:alert('GOTCHA')</p>}),
"not javascript AFAIK (but perhaps some web browser would like to
be perverse and assume it is?)");