From a63929f6cc7778ffc4ba57d784cdf2206ec650c7 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@gnu.kitenet.net>
Date: Thu, 11 Feb 2010 22:24:15 -0500
Subject: Group related plugins into sections in the setup file, and drop
 unused rcs plugins from the setup file.

---
 IkiWiki/Plugin/htmlscrubber.pm | 1 +
 1 file changed, 1 insertion(+)

(limited to 'IkiWiki/Plugin/htmlscrubber.pm')

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index a249cdf7a..ee284a45c 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -40,6 +40,7 @@ sub getsetup () {
 		plugin => {
 			safe => 1,
 			rebuild => undef,
+			section => "core",
 		},
 		htmlscrubber_skip => {
 			type => "pagespec",
-- 
cgit v1.2.3


From 2ad3e60ee8272b7cccfd83ae02d5b45e2cec003d Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@gnu.kitenet.net>
Date: Fri, 12 Mar 2010 14:49:13 -0500
Subject: htmlscrubber: Security fix: In data:image/* uris, only allow a few
 whitelisted image types. No svg.

---
 IkiWiki/Plugin/htmlscrubber.pm |  6 +++---
 debian/changelog               |  4 +++-
 doc/security.mdwn              | 12 ++++++++++++
 3 files changed, 18 insertions(+), 4 deletions(-)

(limited to 'IkiWiki/Plugin/htmlscrubber.pm')

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index ee284a45c..26e18ffc7 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -30,9 +30,9 @@ sub import {
 		"msnim", "notes", "rsync", "secondlife", "skype", "ssh",
 		"sftp", "smb", "sms", "snews", "webcal", "ymsgr",
 	);
-	# data is a special case. Allow data:image/*, but
-	# disallow data:text/javascript and everything else.
-	$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i;
+	# data is a special case. Allow a few data:image/ types,
+	# but disallow data:text/javascript and everything else.
+	$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|\/))/i;
 }
 
 sub getsetup () {
diff --git a/debian/changelog b/debian/changelog
index bae0e7ee0..7fdbbcb63 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-ikiwiki (3.20100303) UNRELEASED; urgency=low
+ikiwiki (3.20100312) unstable; urgency=HIGH
 
   * Fix utf8 issues in calls to md5_hex.
   * moderatedcomments: Added moderate_pagespec that can be used
@@ -12,6 +12,8 @@ ikiwiki (3.20100303) UNRELEASED; urgency=low
   * Fix missing span on recentchanges page template.
   * search: Avoid '$' in the wikiname appearing unescaped on omega's
     query template, where it might crash omega.
+  * htmlscrubber: Security fix: In data:image/* uris, only allow a few
+    whitelisted image types. No svg.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 09 Mar 2010 19:46:35 -0500
 
diff --git a/doc/security.mdwn b/doc/security.mdwn
index 3924186c2..21aef316b 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -427,3 +427,15 @@ enabling TeX configuration options that disallow unsafe TeX commands.
 The fix was released on 30 Aug 2009 in version 3.1415926, and was
 backported to stable in version 2.53.4. If you use the teximg plugin,
 I recommend upgrading. ([[!cve CVE-2009-2944]])
+
+## javascript insertion via svg uris
+
+Ivan Shmakov pointed out that the htmlscrubber allowed `data:image/*` urls,
+including `data:image/svg+xml`. But svg can contain javascript, so that is
+unsafe.
+
+This hole was discovered on 12 March 2010 and fixed the same day
+with the release of ikiwiki 3.20100312.
+A fix was also backported to Debian etch, as version 2.53.5. I recommend
+upgrading to one of these versions if your wiki can be edited by third
+parties.
-- 
cgit v1.2.3


From 104919ee07b70b166c6c6be13b4f6e5bc5225179 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@gnu.kitenet.net>
Date: Fri, 2 Apr 2010 16:05:14 -0400
Subject: htmlscrubber: Allow colons in url fragments after '?'

Colons are not allowed at the start of urls, because it can be interpreted
as a protocol, and allowing arbitrary protocols can be unsafe
(CVE-2008-0809). However, this check was too restrictive, not allowing
use of eg, "video.ogv?t=0:03:00/0:04:00" to seek to a given place in a
video, or "somecgi?foo=bar:baz" to pass parameters with colons.

It's still not allowed to have a filename with a colon in it (ie
"foo:bar.png") -- to link to such a file, a fully qualified url must be
used.
---
 IkiWiki/Plugin/htmlscrubber.pm | 2 +-
 debian/changelog               | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

(limited to 'IkiWiki/Plugin/htmlscrubber.pm')

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index 26e18ffc7..9f40c752f 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -32,7 +32,7 @@ sub import {
 	);
 	# data is a special case. Allow a few data:image/ types,
 	# but disallow data:text/javascript and everything else.
-	$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|\/))/i;
+	$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|[\/\?]))/i;
 }
 
 sub getsetup () {
diff --git a/debian/changelog b/debian/changelog
index bbca7cffe..adf0dfed6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,6 +25,7 @@ ikiwiki (3.20100324) UNRELEASED; urgency=low
     used, but they are available in the session object now.)
   * page.tmpl: Add Cache-Control must-revalidate to ensure that users
     (especially of Firefox) see fresh page content.
+  * htmlscrubber: Allow colons in urls after '?'
 
  -- Joey Hess <joeyh@debian.org>  Sat, 13 Mar 2010 14:48:10 -0500
 
-- 
cgit v1.2.3


From 80f2042464f9d14bcaed999e9769c71618bf5252 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Sat, 1 May 2010 16:34:47 -0400
Subject: htmlscrubber: Allow html5 semantic tags: section nav article aside
 hgroup header footer time mark

---
 IkiWiki/Plugin/htmlscrubber.pm |  9 ++++++---
 debian/changelog               |  2 ++
 doc/bugs/html5_support.mdwn    | 10 ++++++++--
 3 files changed, 16 insertions(+), 5 deletions(-)

(limited to 'IkiWiki/Plugin/htmlscrubber.pm')

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index 9f40c752f..1604d776a 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -72,7 +72,7 @@ sub scrubber {
 	eval q{use HTML::Scrubber};
 	error($@) if $@;
 	# Lists based on http://feedparser.org/docs/html-sanitization.html
-	# With html 5 video and audio tags added.
+	# With html5 tags added.
 	$_scrubber = HTML::Scrubber->new(
 		allow => [qw{
 			a abbr acronym address area b big blockquote br br/
@@ -82,7 +82,9 @@ sub scrubber {
 			menu ol optgroup option p p/ pre q s samp select small
 			span strike strong sub sup table tbody td textarea
 			tfoot th thead tr tt u ul var
-			video audio
+
+			video audio section nav article aside hgroup header
+			footer time mark
 		}],
 		default => [undef, { (
 			map { $_ => 1 } qw{
@@ -98,8 +100,9 @@ sub scrubber {
 				selected shape size span start summary
 				tabindex target title type valign
 				value vspace width
+
 				autoplay loopstart loopend end
-				playcount controls 
+				playcount controls pubdate
 			} ),
 			"/" => 1, # emit proper <hr /> XHTML
 			href => $safe_url_regexp,
diff --git a/debian/changelog b/debian/changelog
index a1bd85bfa..9a6cf68e3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,8 @@ ikiwiki (3.20100428) UNRELEASED; urgency=low
     (But not in-wiki templates.)
   * Version dependency on liburi-perl to >= 1.36; previous versions
     did not support building urls from utf-8 strings. Closes: #579713
+  * htmlscrubber: Allow html5 semantic tags: section nav article aside hgroup
+    header footer time mark
 
  -- Joey Hess <joeyh@debian.org>  Tue, 27 Apr 2010 12:10:51 -0400
 
diff --git a/doc/bugs/html5_support.mdwn b/doc/bugs/html5_support.mdwn
index 5d2a41303..a330d3ae6 100644
--- a/doc/bugs/html5_support.mdwn
+++ b/doc/bugs/html5_support.mdwn
@@ -59,7 +59,13 @@ HTML5](http://www.w3.org/TR/html5-diff/).
 >   tag, but something should still be done to replace it.
 > 
 > (BTW, it would be helpful if you could re-merge master into your branch
-> as it is a bit diverged now.) --[[Joey]] 
+> as it is a bit diverged now.) 
+> 
+> Other ideas:
+> 
+> * Add pubdate attribute to time elements as appropriate.
+> * Use aside for the sidebar? Or for the [[templates/note]] template?
+> --[[Joey]] 
 
 # htmlscrubber.pm needs to not scrub new HTML5 elements
 
@@ -68,7 +74,7 @@ HTML5](http://www.w3.org/TR/html5-diff/).
 > Most of these can be supported trivially, since they are just semantic
 > markup. Make a list of these, and their attributes (and which attributes
 > can contain urls or other javascript injection mechanisms), and I can add
-> them. Others, like `embed`, and `canvas` are *scary*. --[[Joey]]
+> them. (Added several now.) Others, like `embed`, and `canvas` are *scary*. --[[Joey]]
 
 # HTML5 Validation and t/html.t
 
-- 
cgit v1.2.3


From 73c8209484ac730c82f7c7b749d08a1b3d895ee0 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Sat, 1 May 2010 17:56:35 -0400
Subject: more html5

* htmlscrubber: Also allow html5 canvas tags.
* htmlscrubber: Round out html5 video support with the preload
  attribute and the source tag.
---
 IkiWiki/Plugin/htmlscrubber.pm | 6 +++---
 debian/changelog               | 3 +++
 doc/bugs/html5_support.mdwn    | 3 ++-
 3 files changed, 8 insertions(+), 4 deletions(-)

(limited to 'IkiWiki/Plugin/htmlscrubber.pm')

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index 1604d776a..cc00fd5ff 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -83,8 +83,8 @@ sub scrubber {
 			span strike strong sub sup table tbody td textarea
 			tfoot th thead tr tt u ul var
 
-			video audio section nav article aside hgroup header
-			footer time mark
+			video audio source section nav article aside hgroup
+			header footer time mark canvas
 		}],
 		default => [undef, { (
 			map { $_ => 1 } qw{
@@ -101,7 +101,7 @@ sub scrubber {
 				tabindex target title type valign
 				value vspace width
 
-				autoplay loopstart loopend end
+				autoplay preload loopstart loopend end
 				playcount controls pubdate
 			} ),
 			"/" => 1, # emit proper <hr /> XHTML
diff --git a/debian/changelog b/debian/changelog
index 9a6cf68e3..9613d8b6d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,9 @@ ikiwiki (3.20100428) UNRELEASED; urgency=low
     did not support building urls from utf-8 strings. Closes: #579713
   * htmlscrubber: Allow html5 semantic tags: section nav article aside hgroup
     header footer time mark
+  * htmlscrubber: Also allow html5 canvas tags.
+  * htmlscrubber: Round out html5 video support with the preload
+    attribute and the source tag.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 27 Apr 2010 12:10:51 -0400
 
diff --git a/doc/bugs/html5_support.mdwn b/doc/bugs/html5_support.mdwn
index a330d3ae6..c05208fbf 100644
--- a/doc/bugs/html5_support.mdwn
+++ b/doc/bugs/html5_support.mdwn
@@ -65,6 +65,7 @@ HTML5](http://www.w3.org/TR/html5-diff/).
 > 
 > * Add pubdate attribute to time elements as appropriate.
 > * Use aside for the sidebar? Or for the [[templates/note]] template?
+> * Use nav for the actionbar
 > --[[Joey]] 
 
 # htmlscrubber.pm needs to not scrub new HTML5 elements
@@ -74,7 +75,7 @@ HTML5](http://www.w3.org/TR/html5-diff/).
 > Most of these can be supported trivially, since they are just semantic
 > markup. Make a list of these, and their attributes (and which attributes
 > can contain urls or other javascript injection mechanisms), and I can add
-> them. (Added several now.) Others, like `embed`, and `canvas` are *scary*. --[[Joey]]
+> them. (Added several now.) Others, like `embed` are *scary*. --[[Joey]]
 
 # HTML5 Validation and t/html.t
 
-- 
cgit v1.2.3


From 442bc59a15301941613d62f4b1d846c57557ca8f Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Sat, 1 May 2010 18:14:50 -0400
Subject: htmlscrubber: Allow the placeholder attribute.

---
 IkiWiki/Plugin/htmlscrubber.pm | 2 +-
 debian/changelog               | 1 +
 doc/bugs/html5_support.mdwn    | 2 ++
 3 files changed, 4 insertions(+), 1 deletion(-)

(limited to 'IkiWiki/Plugin/htmlscrubber.pm')

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index cc00fd5ff..b3f659f73 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -102,7 +102,7 @@ sub scrubber {
 				value vspace width
 
 				autoplay preload loopstart loopend end
-				playcount controls pubdate
+				playcount controls pubdate placeholder
 			} ),
 			"/" => 1, # emit proper <hr /> XHTML
 			href => $safe_url_regexp,
diff --git a/debian/changelog b/debian/changelog
index 9613d8b6d..951caab9e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,7 @@ ikiwiki (3.20100428) UNRELEASED; urgency=low
   * htmlscrubber: Also allow html5 canvas tags.
   * htmlscrubber: Round out html5 video support with the preload
     attribute and the source tag.
+  * htmlscrubber: Allow the placeholder attribute.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 27 Apr 2010 12:10:51 -0400
 
diff --git a/doc/bugs/html5_support.mdwn b/doc/bugs/html5_support.mdwn
index c05208fbf..9c077a2d3 100644
--- a/doc/bugs/html5_support.mdwn
+++ b/doc/bugs/html5_support.mdwn
@@ -66,6 +66,8 @@ HTML5](http://www.w3.org/TR/html5-diff/).
 > * Add pubdate attribute to time elements as appropriate.
 > * Use aside for the sidebar? Or for the [[templates/note]] template?
 > * Use nav for the actionbar
+> * Use placeholder in the search box. Allows closing
+>   [[this_todo|Add_label_to_search_form_input_field]]
 > --[[Joey]] 
 
 # htmlscrubber.pm needs to not scrub new HTML5 elements
-- 
cgit v1.2.3


From 0a139aba823ece3166d29ff2daee0b5c9507b52f Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Sat, 1 May 2010 18:27:53 -0400
Subject: htmlscrubber: Allow the html5 form attributes: placeholder autofocus,
 min, max, step.

---
 IkiWiki/Plugin/htmlscrubber.pm                     | 5 +++--
 debian/changelog                                   | 3 ++-
 doc/todo/Add_label_to_search_form_input_field.mdwn | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

(limited to 'IkiWiki/Plugin/htmlscrubber.pm')

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index b3f659f73..479e10e74 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -101,8 +101,9 @@ sub scrubber {
 				tabindex target title type valign
 				value vspace width
 
-				autoplay preload loopstart loopend end
-				playcount controls pubdate placeholder
+				autofocus autoplay preload loopstart
+				loopend end playcount controls pubdate
+				placeholder min max step
 			} ),
 			"/" => 1, # emit proper <hr /> XHTML
 			href => $safe_url_regexp,
diff --git a/debian/changelog b/debian/changelog
index 951caab9e..12ef08a91 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,7 +10,8 @@ ikiwiki (3.20100428) UNRELEASED; urgency=low
   * htmlscrubber: Also allow html5 canvas tags.
   * htmlscrubber: Round out html5 video support with the preload
     attribute and the source tag.
-  * htmlscrubber: Allow the placeholder attribute.
+  * htmlscrubber: Allow the html5 form attributes: placeholder autofocus,
+    min, max, step.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 27 Apr 2010 12:10:51 -0400
 
diff --git a/doc/todo/Add_label_to_search_form_input_field.mdwn b/doc/todo/Add_label_to_search_form_input_field.mdwn
index 51b34927d..281ab48e2 100644
--- a/doc/todo/Add_label_to_search_form_input_field.mdwn
+++ b/doc/todo/Add_label_to_search_form_input_field.mdwn
@@ -51,4 +51,4 @@ The patch below adds a label for the field to improve usability:
 > element. already works in eg, chromium. However, ikiwiki does not use
 > html5 yet. --[[Joey]] 
 
-[[!tag wishlist html5]]
+[[!tag wishlist bugs/html5_support]]
-- 
cgit v1.2.3


From 80f9a2a0879f74e86b2720ca7d1c88ee165100ea Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Sat, 1 May 2010 18:31:33 -0400
Subject: add figure and figcaption

---
 IkiWiki/Plugin/htmlscrubber.pm | 2 +-
 debian/changelog               | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'IkiWiki/Plugin/htmlscrubber.pm')

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index 479e10e74..0090b67b9 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -84,7 +84,7 @@ sub scrubber {
 			tfoot th thead tr tt u ul var
 
 			video audio source section nav article aside hgroup
-			header footer time mark canvas
+			header footer figure figcaption time mark canvas
 		}],
 		default => [undef, { (
 			map { $_ => 1 } qw{
diff --git a/debian/changelog b/debian/changelog
index 12ef08a91..108764c39 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,7 +6,7 @@ ikiwiki (3.20100428) UNRELEASED; urgency=low
   * Version dependency on liburi-perl to >= 1.36; previous versions
     did not support building urls from utf-8 strings. Closes: #579713
   * htmlscrubber: Allow html5 semantic tags: section nav article aside hgroup
-    header footer time mark
+    header footer figure figcaption time mark
   * htmlscrubber: Also allow html5 canvas tags.
   * htmlscrubber: Round out html5 video support with the preload
     attribute and the source tag.
-- 
cgit v1.2.3


From 78cee5140ac37f93cd2e87d8a03d71420303eb13 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Sat, 1 May 2010 18:44:37 -0400
Subject: add rest of html5 form attributes

It's easy to imagine pattern being used to freeze or crash browsers, if
they implement it stupidly. Let's hope not..
---
 IkiWiki/Plugin/htmlscrubber.pm | 2 +-
 debian/changelog               | 2 +-
 doc/bugs/html5_support.mdwn    | 4 ++++
 3 files changed, 6 insertions(+), 2 deletions(-)

(limited to 'IkiWiki/Plugin/htmlscrubber.pm')

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index 0090b67b9..7517c82c6 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -103,7 +103,7 @@ sub scrubber {
 
 				autofocus autoplay preload loopstart
 				loopend end playcount controls pubdate
-				placeholder min max step
+				placeholder min max step form required
 			} ),
 			"/" => 1, # emit proper <hr /> XHTML
 			href => $safe_url_regexp,
diff --git a/debian/changelog b/debian/changelog
index 108764c39..cdc79ae78 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,7 +11,7 @@ ikiwiki (3.20100428) UNRELEASED; urgency=low
   * htmlscrubber: Round out html5 video support with the preload
     attribute and the source tag.
   * htmlscrubber: Allow the html5 form attributes: placeholder autofocus,
-    min, max, step.
+    min, max, step, required, autocomplete, novalidate, pattern, and form.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 27 Apr 2010 12:10:51 -0400
 
diff --git a/doc/bugs/html5_support.mdwn b/doc/bugs/html5_support.mdwn
index 9c077a2d3..7d9dc9f79 100644
--- a/doc/bugs/html5_support.mdwn
+++ b/doc/bugs/html5_support.mdwn
@@ -79,6 +79,10 @@ HTML5](http://www.w3.org/TR/html5-diff/).
 > can contain urls or other javascript injection mechanisms), and I can add
 > them. (Added several now.) Others, like `embed` are *scary*. --[[Joey]]
 
+> I have not added the new `ping` attribute, because parsing a
+> space-separeated list of urls to avoid javascript injection is annoying, 
+> and the attribute seems generally dubious. --[[Joey]] 
+
 # HTML5 Validation and t/html.t
 
 [validator.nu](http://validator.nu/) is the authorative HTML5 validator,
-- 
cgit v1.2.3


From f1e2d0af123352b692e8e4efdb208e370a00d3c1 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Sat, 1 May 2010 19:11:03 -0400
Subject: more html5 attributes

---
 IkiWiki/Plugin/htmlscrubber.pm | 5 +++++
 debian/changelog               | 4 ++++
 doc/bugs/html5_support.mdwn    | 5 ++++-
 3 files changed, 13 insertions(+), 1 deletion(-)

(limited to 'IkiWiki/Plugin/htmlscrubber.pm')

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index 7517c82c6..d52614a4d 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -85,6 +85,7 @@ sub scrubber {
 
 			video audio source section nav article aside hgroup
 			header footer figure figcaption time mark canvas
+			datalist
 		}],
 		default => [undef, { (
 			map { $_ => 1 } qw{
@@ -104,11 +105,15 @@ sub scrubber {
 				autofocus autoplay preload loopstart
 				loopend end playcount controls pubdate
 				placeholder min max step form required
+				autocomplete novalidate pattern list
+				formenctype formmethod formnovalidate
+				formtarget reversed
 			} ),
 			"/" => 1, # emit proper <hr /> XHTML
 			href => $safe_url_regexp,
 			src => $safe_url_regexp,
 			action => $safe_url_regexp,
+			formaction => $safe_url_regexp,
 			cite => $safe_url_regexp,
 			longdesc => $safe_url_regexp,
 			poster => $safe_url_regexp,
diff --git a/debian/changelog b/debian/changelog
index cdc79ae78..e0f506f29 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,10 @@ ikiwiki (3.20100428) UNRELEASED; urgency=low
     attribute and the source tag.
   * htmlscrubber: Allow the html5 form attributes: placeholder autofocus,
     min, max, step, required, autocomplete, novalidate, pattern, and form.
+    (Also the form* override attributes for input and buttons.)
+  * htmlscrubber: Allow the html5 datalist element, and the form list
+    attribute.
+  * htmlscrubber: Allow the html5 reversed and spellcheck attributes.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 27 Apr 2010 12:10:51 -0400
 
diff --git a/doc/bugs/html5_support.mdwn b/doc/bugs/html5_support.mdwn
index 7d9dc9f79..1ca45f46d 100644
--- a/doc/bugs/html5_support.mdwn
+++ b/doc/bugs/html5_support.mdwn
@@ -81,7 +81,10 @@ HTML5](http://www.w3.org/TR/html5-diff/).
 
 > I have not added the new `ping` attribute, because parsing a
 > space-separeated list of urls to avoid javascript injection is annoying, 
-> and the attribute seems generally dubious. --[[Joey]] 
+> and the attribute seems generally dubious.
+> 
+> Need to understand better the attributes contenteditabl, contextmenu,
+> data-*, draggable, hidden, role, aria-*. Have not added those. --[[Joey]] 
 
 # HTML5 Validation and t/html.t
 
-- 
cgit v1.2.3


From 790a339db18f1c697052446728641c9e6ef06bdb Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Sat, 1 May 2010 19:28:28 -0400
Subject: htmlscrubber: Also allow some other html5 tags: canvas, progress,
 meter, ruby, rt, rp, details, summary.

---
 IkiWiki/Plugin/htmlscrubber.pm | 10 +++++-----
 debian/changelog               |  3 ++-
 doc/bugs/html5_support.mdwn    | 22 ++++++++++++++--------
 3 files changed, 21 insertions(+), 14 deletions(-)

(limited to 'IkiWiki/Plugin/htmlscrubber.pm')

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index d52614a4d..505a6f142 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -85,7 +85,7 @@ sub scrubber {
 
 			video audio source section nav article aside hgroup
 			header footer figure figcaption time mark canvas
-			datalist
+			datalist progress meter ruby rt rp details summary
 		}],
 		default => [undef, { (
 			map { $_ => 1 } qw{
@@ -104,10 +104,10 @@ sub scrubber {
 
 				autofocus autoplay preload loopstart
 				loopend end playcount controls pubdate
-				placeholder min max step form required
-				autocomplete novalidate pattern list
-				formenctype formmethod formnovalidate
-				formtarget reversed
+				placeholder min max step low high optimum
+				form required autocomplete novalidate pattern
+				list formenctype formmethod formnovalidate
+				formtarget reversed spellcheck open
 			} ),
 			"/" => 1, # emit proper <hr /> XHTML
 			href => $safe_url_regexp,
diff --git a/debian/changelog b/debian/changelog
index e0f506f29..3d33f3bfc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,7 +7,8 @@ ikiwiki (3.20100428) UNRELEASED; urgency=low
     did not support building urls from utf-8 strings. Closes: #579713
   * htmlscrubber: Allow html5 semantic tags: section nav article aside hgroup
     header footer figure figcaption time mark
-  * htmlscrubber: Also allow html5 canvas tags.
+  * htmlscrubber: Also allow some other html5 tags: canvas, progress, meter,
+    ruby, rt, rp, details, summary.
   * htmlscrubber: Round out html5 video support with the preload
     attribute and the source tag.
   * htmlscrubber: Allow the html5 form attributes: placeholder autofocus,
diff --git a/doc/bugs/html5_support.mdwn b/doc/bugs/html5_support.mdwn
index 1ca45f46d..48b63b29a 100644
--- a/doc/bugs/html5_support.mdwn
+++ b/doc/bugs/html5_support.mdwn
@@ -68,23 +68,29 @@ HTML5](http://www.w3.org/TR/html5-diff/).
 > * Use nav for the actionbar
 > * Use placeholder in the search box. Allows closing
 >   [[this_todo|Add_label_to_search_form_input_field]]
+> * Use details tag instead of the javascript in the toggle plugin. 
+>   (Need to wait on browser support probably.)
 > --[[Joey]] 
 
 # htmlscrubber.pm needs to not scrub new HTML5 elements
 
 * [new elements](http://www.w3.org/TR/html5-diff/#new-elements)
 
-> Most of these can be supported trivially, since they are just semantic
-> markup. Make a list of these, and their attributes (and which attributes
-> can contain urls or other javascript injection mechanisms), and I can add
-> them. (Added several now.) Others, like `embed` are *scary*. --[[Joey]]
-
+> Many added now.
+>
+> Things I left out, too hard to understand today:
+> Attributes contenteditabl, contextmenu,
+> data-*, draggable, hidden, role, aria-*. Tags command, keygen,
+> output.
+> 
+> Clearly unsafe: embed.
+> 
+> Apparently cannot be used w/o javascript: menu.
+> 
 > I have not added the new `ping` attribute, because parsing a
 > space-separeated list of urls to avoid javascript injection is annoying, 
 > and the attribute seems generally dubious.
-> 
-> Need to understand better the attributes contenteditabl, contextmenu,
-> data-*, draggable, hidden, role, aria-*. Have not added those. --[[Joey]] 
+>  --[[Joey]] 
 
 # HTML5 Validation and t/html.t
 
-- 
cgit v1.2.3


From ccafb10007731d04e0ff6aa36978690e6dfa6dec Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Sat, 1 May 2010 19:59:16 -0400
Subject: enable hidden attribute

---
 IkiWiki/Plugin/htmlscrubber.pm |  2 +-
 debian/changelog               | 17 ++++++++---------
 doc/bugs/html5_support.mdwn    |  6 +++---
 3 files changed, 12 insertions(+), 13 deletions(-)

(limited to 'IkiWiki/Plugin/htmlscrubber.pm')

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index 505a6f142..847518178 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -107,7 +107,7 @@ sub scrubber {
 				placeholder min max step low high optimum
 				form required autocomplete novalidate pattern
 				list formenctype formmethod formnovalidate
-				formtarget reversed spellcheck open
+				formtarget reversed spellcheck open hidden
 			} ),
 			"/" => 1, # emit proper <hr /> XHTML
 			href => $safe_url_regexp,
diff --git a/debian/changelog b/debian/changelog
index 3d33f3bfc..8bf6f89b6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,18 +5,17 @@ ikiwiki (3.20100428) UNRELEASED; urgency=low
     (But not in-wiki templates.)
   * Version dependency on liburi-perl to >= 1.36; previous versions
     did not support building urls from utf-8 strings. Closes: #579713
-  * htmlscrubber: Allow html5 semantic tags: section nav article aside hgroup
-    header footer figure figcaption time mark
+  * htmlscrubber: Allow html5 semantic tags: section, nav, article, aside
+    hgroup, header, footer, figure, figcaption, time, mark
   * htmlscrubber: Also allow some other html5 tags: canvas, progress, meter,
-    ruby, rt, rp, details, summary.
+    ruby, rt, rp, details, summary, datalist.
   * htmlscrubber: Round out html5 video support with the preload
     attribute and the source tag.
-  * htmlscrubber: Allow the html5 form attributes: placeholder autofocus,
-    min, max, step, required, autocomplete, novalidate, pattern, and form.
-    (Also the form* override attributes for input and buttons.)
-  * htmlscrubber: Allow the html5 datalist element, and the form list
-    attribute.
-  * htmlscrubber: Allow the html5 reversed and spellcheck attributes.
+  * htmlscrubber: Allow the html5 form attributes: placeholder, autofocus,
+    min, max, step, required, autocomplete, novalidate, pattern, list,
+    and form. (Also the form* override attributes for input and buttons.)
+  * htmlscrubber: Allow additional misc html5 attributes: reversed,
+    spellcheck, and hidden.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 27 Apr 2010 12:10:51 -0400
 
diff --git a/doc/bugs/html5_support.mdwn b/doc/bugs/html5_support.mdwn
index 48b63b29a..2d27ac803 100644
--- a/doc/bugs/html5_support.mdwn
+++ b/doc/bugs/html5_support.mdwn
@@ -79,9 +79,9 @@ HTML5](http://www.w3.org/TR/html5-diff/).
 > Many added now.
 >
 > Things I left out, too hard to understand today:
-> Attributes contenteditabl, contextmenu,
-> data-*, draggable, hidden, role, aria-*. Tags command, keygen,
-> output.
+> Attributes contenteditable,
+> data-\*, draggable, role, aria-\*.
+> Tags command, keygen, output.
 > 
 > Clearly unsafe: embed.
 > 
-- 
cgit v1.2.3


From 9b9ecda62f893a2109ccdb6bcdb2358f217f7fef Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Thu, 19 Aug 2010 13:59:31 -0400
Subject: htmlscrubber: Do not scrub url anchors that contain colons.

---
 IkiWiki/Plugin/htmlscrubber.pm                            | 2 +-
 debian/changelog                                          | 1 +
 doc/bugs/htmlscrubber_breaks_multimarkdown_footnotes.mdwn | 5 +++++
 3 files changed, 7 insertions(+), 1 deletion(-)

(limited to 'IkiWiki/Plugin/htmlscrubber.pm')

diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm
index 847518178..927792f79 100644
--- a/IkiWiki/Plugin/htmlscrubber.pm
+++ b/IkiWiki/Plugin/htmlscrubber.pm
@@ -32,7 +32,7 @@ sub import {
 	);
 	# data is a special case. Allow a few data:image/ types,
 	# but disallow data:text/javascript and everything else.
-	$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|[\/\?]))/i;
+	$safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|[\/\?#]))|^#/i;
 }
 
 sub getsetup () {
diff --git a/debian/changelog b/debian/changelog
index 8fee36b98..fb445a3ff 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ ikiwiki (3.20100816) UNRELEASED; urgency=low
     (and MSIE 8 in compat mode). Thanks to Iain McLaren for reporting
     the bug and providing access to debug it.
   * style.css: Use relative, not absolute font sizes. Thanks, Giuseppe Bilotta.
+  * htmlscrubber: Do not scrub url anchors that contain colons.
 
  -- Joey Hess <joeyh@debian.org>  Sun, 15 Aug 2010 11:45:48 -0400
 
diff --git a/doc/bugs/htmlscrubber_breaks_multimarkdown_footnotes.mdwn b/doc/bugs/htmlscrubber_breaks_multimarkdown_footnotes.mdwn
index a00ced4c5..343037b45 100644
--- a/doc/bugs/htmlscrubber_breaks_multimarkdown_footnotes.mdwn
+++ b/doc/bugs/htmlscrubber_breaks_multimarkdown_footnotes.mdwn
@@ -11,3 +11,8 @@ enabled, the links are created but their hrefs are empty (so they do not actuall
 Disabling the htmlscrubber plugin fixes this issue
 
 [[!tag multimarkdown htmlscrubber]]
+
+> href was of the form: #fnref:1 , scrubbed by overzealous protocol
+> scrubbing.
+
+[[done]] --[[Joey]] 
-- 
cgit v1.2.3