summaryrefslogtreecommitdiff
path: root/IkiWiki/Plugin/htmlscrubber.pm
AgeCommit message (Collapse)Author
2010-11-12Fix htmlscrubber_skip to be matched on the source page, not the page it is ↵Joey Hess
inlined into. Should allow setting to "* and !comment(*)" to scrub comments, but leave your blog posts unscrubbed, etc.
2010-08-19htmlscrubber: Do not scrub url anchors that contain colons.Joey Hess
2010-05-01enable hidden attributeJoey Hess
2010-05-01htmlscrubber: Also allow some other html5 tags: canvas, progress, meter, ↵Joey Hess
ruby, rt, rp, details, summary.
2010-05-01more html5 attributesJoey Hess
2010-05-01add rest of html5 form attributesJoey Hess
It's easy to imagine pattern being used to freeze or crash browsers, if they implement it stupidly. Let's hope not..
2010-05-01add figure and figcaptionJoey Hess
2010-05-01htmlscrubber: Allow the html5 form attributes: placeholder autofocus, min, ↵Joey Hess
max, step.
2010-05-01htmlscrubber: Allow the placeholder attribute.Joey Hess
2010-05-01more html5Joey Hess
* htmlscrubber: Also allow html5 canvas tags. * htmlscrubber: Round out html5 video support with the preload attribute and the source tag.
2010-05-01htmlscrubber: Allow html5 semantic tags: section nav article aside hgroup ↵Joey Hess
header footer time mark
2010-04-02htmlscrubber: Allow colons in url fragments after '?'Joey Hess
Colons are not allowed at the start of urls, because it can be interpreted as a protocol, and allowing arbitrary protocols can be unsafe (CVE-2008-0809). However, this check was too restrictive, not allowing use of eg, "video.ogv?t=0:03:00/0:04:00" to seek to a given place in a video, or "somecgi?foo=bar:baz" to pass parameters with colons. It's still not allowed to have a filename with a colon in it (ie "foo:bar.png") -- to link to such a file, a fully qualified url must be used.
2010-03-12htmlscrubber: Security fix: In data:image/* uris, only allow a few ↵Joey Hess
whitelisted image types. No svg.
2010-02-11Group related plugins into sections in the setup file, and drop unused rcs ↵Joey Hess
plugins from the setup file.
2008-12-23finalise version 3.00 of the plugin apiJoey Hess
2008-12-17Coding style change: Remove explcit vim folding markers.Joey Hess
2008-09-26htmlscrubber: Add a config setting that can be used to disable the scrubber ↵Joey Hess
acting on a set of pages.
2008-08-03add plugin safe/rebuild info (part 1 of 2)Joey Hess
too many plugins.. brain exploding..
2008-02-29Allow colons in URLs after the first slashAdeodato Simó
A new regexp fixes this bug: http://ikiwiki.info/bugs/No_link_for_blog_items_when_filename_contains_a_colon/ I traced this down to htmlscrubber. If disabled, it works. If enabled, then $safe_url_regexp determines the URL unsafe because of the colon and hence removes the src attribute. Digging into this, I find that RFC 3986 pretty much discourages colons in filenames: """ A path segment that contains a colon character (e.g., "this:that") cannot be used as the first segment of a relative-path reference, as it would be mistaken for a scheme name. Such a segment must be preceded by a dot-segment (e.g., "./this:that") to make a relative- path reference. """ on the other hand, with usedirs, any link to another page will be prepended by ../ anyway, so that makes them okay again. The solution still seems not to use colons. In any case, htmlscrubber should get a new regexp, courtesy of dato. I have tested and verified this. Signed-off-by: martin f. krafft <madduck@madduck.net>
2008-02-10use quotemeta when building the regexpJoey Hess
2008-02-10Allow the smb: URI scheme.Josh Triplett
2008-02-10Allow the snews: URI scheme.Josh Triplett
2008-02-10Do not allow the steam: URI scheme.Josh Triplett
2008-02-10Match literal '.' in URI schemas containing '.', rather than matching any ↵Josh Triplett
character
2008-02-10export $safe_url_regexpJoey Hess
2008-02-10Also filter the attributes cite, longdesc, and usemap, which can contain URIsJosh Triplett
2008-02-10add parens around scheme regexpJoey Hess
2008-02-10Do not allow the about: URI schemeJosh Triplett
Some browsers interpret about: URIs like a limited version of data: URIs. In particular, some versions of Internet Explorer interpret arbitrary HTML content in about: URIs.
2008-02-10fix data:image handlingJoey Hess
2008-02-10* htmlscrubber security fix: Block javascript in uris.Joey Hess
* Add htmlscrubber test suite.
2008-01-07* htmlscrubber: Further work around #365971 by adding tags for 'br/', 'hr/'Joey Hess
and 'p/'.
2007-11-18* Allow html5 video and audio tags and their attributes in the htmlscrubber.Joey Hess
2007-07-11on second thought, simple alphanumeric styles are not actually useful (class ↵joey
is already supported), and anything more complex is too hard to do, so revert
2007-07-11* Allow simple alphanumeric style attribute values in the htmlscrubber. Thisjoey
should be safe from javascript attacks.
2007-04-27* pagespec_match() has changed to take named parameters, to better allowjoey
for extended pagespecs. The old calling convention will still work for back-compat for now. * The calling convention for functions in the IkiWiki::PageSpec namespace has changed so they are passed named parameters. * Plugin interface version increased to 2.00 since I don't anticipate any more interface changes before 2.0.
2006-11-08* Make sure to check for errors from every eval.joey
2006-09-09* Work on firming up the plugin interface:joey
- Plugins should not need to load IkiWiki::Render to get commonly used functions, so moved some functions from there to IkiWiki. - Picked out the set of functions and variables that most plugins use, documented them, and made IkiWiki export them by default, like a proper perl module should. - Use the other functions at your own risk. - This is not quite complete, I still have to decide whether to export some other things. * Changed all plugins included in ikiwiki to not use "IkiWiki::" when referring to stuff now exported by the IkiWiki module. * Anyone with a third-party ikiwiki plugin is strongly enrouraged to make like changes to it and avoid use of non-exported symboles from "IkiWiki::". * Link debian/changelog and debian/news to NEWS and CHANGELOG. * Support hyperestradier version 1.4.2, which adds a new required phraseform setting.
2006-08-28* Change htmlize, format, and sanitize hooks to use named parameters.joey
2006-05-25* Tell HTML::Scrubber to treat "/" as a valid attribute which is itsjoey
very strange way of enabling proper XHTML <br /> type tags. Output html should be always valid again now.
2006-05-05* Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubberjoey
and --disable-plugin htmlscrubber.