summaryrefslogtreecommitdiff
path: root/IkiWiki/Plugin/htmlscrubber.pm
AgeCommit message (Collapse)Author
2010-03-12htmlscrubber: Security fix: In data:image/* uris, only allow a few ↵Joey Hess
whitelisted image types. No svg.
2010-02-11Group related plugins into sections in the setup file, and drop unused rcs ↵Joey Hess
plugins from the setup file.
2008-12-23finalise version 3.00 of the plugin apiJoey Hess
2008-12-17Coding style change: Remove explcit vim folding markers.Joey Hess
2008-09-26htmlscrubber: Add a config setting that can be used to disable the scrubber ↵Joey Hess
acting on a set of pages.
2008-08-03add plugin safe/rebuild info (part 1 of 2)Joey Hess
too many plugins.. brain exploding..
2008-02-29Allow colons in URLs after the first slashAdeodato Simó
A new regexp fixes this bug: http://ikiwiki.info/bugs/No_link_for_blog_items_when_filename_contains_a_colon/ I traced this down to htmlscrubber. If disabled, it works. If enabled, then $safe_url_regexp determines the URL unsafe because of the colon and hence removes the src attribute. Digging into this, I find that RFC 3986 pretty much discourages colons in filenames: """ A path segment that contains a colon character (e.g., "this:that") cannot be used as the first segment of a relative-path reference, as it would be mistaken for a scheme name. Such a segment must be preceded by a dot-segment (e.g., "./this:that") to make a relative- path reference. """ on the other hand, with usedirs, any link to another page will be prepended by ../ anyway, so that makes them okay again. The solution still seems not to use colons. In any case, htmlscrubber should get a new regexp, courtesy of dato. I have tested and verified this. Signed-off-by: martin f. krafft <madduck@madduck.net>
2008-02-10use quotemeta when building the regexpJoey Hess
2008-02-10Allow the smb: URI scheme.Josh Triplett
2008-02-10Allow the snews: URI scheme.Josh Triplett
2008-02-10Do not allow the steam: URI scheme.Josh Triplett
2008-02-10Match literal '.' in URI schemas containing '.', rather than matching any ↵Josh Triplett
character
2008-02-10export $safe_url_regexpJoey Hess
2008-02-10Also filter the attributes cite, longdesc, and usemap, which can contain URIsJosh Triplett
2008-02-10add parens around scheme regexpJoey Hess
2008-02-10Do not allow the about: URI schemeJosh Triplett
Some browsers interpret about: URIs like a limited version of data: URIs. In particular, some versions of Internet Explorer interpret arbitrary HTML content in about: URIs.
2008-02-10fix data:image handlingJoey Hess
2008-02-10* htmlscrubber security fix: Block javascript in uris.Joey Hess
* Add htmlscrubber test suite.
2008-01-07* htmlscrubber: Further work around #365971 by adding tags for 'br/', 'hr/'Joey Hess
and 'p/'.
2007-11-18* Allow html5 video and audio tags and their attributes in the htmlscrubber.Joey Hess
2007-07-11on second thought, simple alphanumeric styles are not actually useful (class ↵joey
is already supported), and anything more complex is too hard to do, so revert
2007-07-11* Allow simple alphanumeric style attribute values in the htmlscrubber. Thisjoey
should be safe from javascript attacks.
2007-04-27* pagespec_match() has changed to take named parameters, to better allowjoey
for extended pagespecs. The old calling convention will still work for back-compat for now. * The calling convention for functions in the IkiWiki::PageSpec namespace has changed so they are passed named parameters. * Plugin interface version increased to 2.00 since I don't anticipate any more interface changes before 2.0.
2006-11-08* Make sure to check for errors from every eval.joey
2006-09-09* Work on firming up the plugin interface:joey
- Plugins should not need to load IkiWiki::Render to get commonly used functions, so moved some functions from there to IkiWiki. - Picked out the set of functions and variables that most plugins use, documented them, and made IkiWiki export them by default, like a proper perl module should. - Use the other functions at your own risk. - This is not quite complete, I still have to decide whether to export some other things. * Changed all plugins included in ikiwiki to not use "IkiWiki::" when referring to stuff now exported by the IkiWiki module. * Anyone with a third-party ikiwiki plugin is strongly enrouraged to make like changes to it and avoid use of non-exported symboles from "IkiWiki::". * Link debian/changelog and debian/news to NEWS and CHANGELOG. * Support hyperestradier version 1.4.2, which adds a new required phraseform setting.
2006-08-28* Change htmlize, format, and sanitize hooks to use named parameters.joey
2006-05-25* Tell HTML::Scrubber to treat "/" as a valid attribute which is itsjoey
very strange way of enabling proper XHTML <br /> type tags. Output html should be always valid again now.
2006-05-05* Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubberjoey
and --disable-plugin htmlscrubber.