summaryrefslogtreecommitdiff
path: root/IkiWiki/Plugin/htmlscrubber.pm
blob: 923907b047b8657e03857c91a500df5eb18911c5 (plain)
  1. #!/usr/bin/perl
  2. package IkiWiki::Plugin::htmlscrubber;
  3. use warnings;
  4. use strict;
  5. use IkiWiki 2.00;
  6. # This regexp matches urls that are in a known safe scheme.
  7. # Feel free to use it from other plugins.
  8. our $safe_url_regexp;
  9. sub import { #{{{
  10. hook(type => "getsetup", id => "htmlscrubber", call => \&getsetup);
  11. hook(type => "sanitize", id => "htmlscrubber", call => \&sanitize);
  12. # Only known uri schemes are allowed to avoid all the ways of
  13. # embedding javascrpt.
  14. # List at http://en.wikipedia.org/wiki/URI_scheme
  15. my $uri_schemes=join("|", map quotemeta,
  16. # IANA registered schemes
  17. "http", "https", "ftp", "mailto", "file", "telnet", "gopher",
  18. "aaa", "aaas", "acap", "cap", "cid", "crid",
  19. "dav", "dict", "dns", "fax", "go", "h323", "im", "imap",
  20. "ldap", "mid", "news", "nfs", "nntp", "pop", "pres",
  21. "sip", "sips", "snmp", "tel", "urn", "wais", "xmpp",
  22. "z39.50r", "z39.50s",
  23. # Selected unofficial schemes
  24. "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg",
  25. "irc", "ircs", "lastfm", "ldaps", "magnet", "mms",
  26. "msnim", "notes", "rsync", "secondlife", "skype", "ssh",
  27. "sftp", "smb", "sms", "snews", "webcal", "ymsgr",
  28. );
  29. # data is a special case. Allow data:image/*, but
  30. # disallow data:text/javascript and everything else.
  31. $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i;
  32. } # }}}
  33. sub getsetup () { #{{{
  34. return
  35. plugin => {
  36. safe => 1,
  37. rebuild => undef,
  38. },
  39. } #}}}
  40. sub sanitize (@) { #{{{
  41. my %params=@_;
  42. return scrubber()->scrub($params{content});
  43. } # }}}
  44. my $_scrubber;
  45. sub scrubber { #{{{
  46. return $_scrubber if defined $_scrubber;
  47. eval q{use HTML::Scrubber};
  48. error($@) if $@;
  49. # Lists based on http://feedparser.org/docs/html-sanitization.html
  50. # With html 5 video and audio tags added.
  51. $_scrubber = HTML::Scrubber->new(
  52. allow => [qw{
  53. a abbr acronym address area b big blockquote br br/
  54. button caption center cite code col colgroup dd del
  55. dfn dir div dl dt em fieldset font form h1 h2 h3 h4
  56. h5 h6 hr hr/ i img input ins kbd label legend li map
  57. menu ol optgroup option p p/ pre q s samp select small
  58. span strike strong sub sup table tbody td textarea
  59. tfoot th thead tr tt u ul var
  60. video audio
  61. }],
  62. default => [undef, { (
  63. map { $_ => 1 } qw{
  64. abbr accept accept-charset accesskey
  65. align alt axis border cellpadding cellspacing
  66. char charoff charset checked class
  67. clear cols colspan color compact coords
  68. datetime dir disabled enctype for frame
  69. headers height hreflang hspace id ismap
  70. label lang maxlength media method
  71. multiple name nohref noshade nowrap prompt
  72. readonly rel rev rows rowspan rules scope
  73. selected shape size span start summary
  74. tabindex target title type valign
  75. value vspace width
  76. autoplay loopstart loopend end
  77. playcount controls
  78. } ),
  79. "/" => 1, # emit proper <hr /> XHTML
  80. href => $safe_url_regexp,
  81. src => $safe_url_regexp,
  82. action => $safe_url_regexp,
  83. cite => $safe_url_regexp,
  84. longdesc => $safe_url_regexp,
  85. poster => $safe_url_regexp,
  86. usemap => $safe_url_regexp,
  87. }],
  88. );
  89. return $_scrubber;
  90. } # }}}
  91. 1