summaryrefslogtreecommitdiff
path: root/IkiWiki/Plugin/htmlscrubber.pm
blob: 927792f791f2160232671e1327db2a379a496e9d (plain)
  1. #!/usr/bin/perl
  2. package IkiWiki::Plugin::htmlscrubber;
  3. use warnings;
  4. use strict;
  5. use IkiWiki 3.00;
  6. # This regexp matches urls that are in a known safe scheme.
  7. # Feel free to use it from other plugins.
  8. our $safe_url_regexp;
  9. sub import {
  10. hook(type => "getsetup", id => "htmlscrubber", call => \&getsetup);
  11. hook(type => "sanitize", id => "htmlscrubber", call => \&sanitize);
  12. # Only known uri schemes are allowed to avoid all the ways of
  13. # embedding javascrpt.
  14. # List at http://en.wikipedia.org/wiki/URI_scheme
  15. my $uri_schemes=join("|", map quotemeta,
  16. # IANA registered schemes
  17. "http", "https", "ftp", "mailto", "file", "telnet", "gopher",
  18. "aaa", "aaas", "acap", "cap", "cid", "crid",
  19. "dav", "dict", "dns", "fax", "go", "h323", "im", "imap",
  20. "ldap", "mid", "news", "nfs", "nntp", "pop", "pres",
  21. "sip", "sips", "snmp", "tel", "urn", "wais", "xmpp",
  22. "z39.50r", "z39.50s",
  23. # Selected unofficial schemes
  24. "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg",
  25. "irc", "ircs", "lastfm", "ldaps", "magnet", "mms",
  26. "msnim", "notes", "rsync", "secondlife", "skype", "ssh",
  27. "sftp", "smb", "sms", "snews", "webcal", "ymsgr",
  28. );
  29. # data is a special case. Allow a few data:image/ types,
  30. # but disallow data:text/javascript and everything else.
  31. $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/(?:png|jpeg|gif)|[^:]+(?:$|[\/\?#]))|^#/i;
  32. }
  33. sub getsetup () {
  34. return
  35. plugin => {
  36. safe => 1,
  37. rebuild => undef,
  38. section => "core",
  39. },
  40. htmlscrubber_skip => {
  41. type => "pagespec",
  42. example => "!*/Discussion",
  43. description => "PageSpec specifying pages not to scrub",
  44. link => "ikiwiki/PageSpec",
  45. safe => 1,
  46. rebuild => undef,
  47. },
  48. }
  49. sub sanitize (@) {
  50. my %params=@_;
  51. if (exists $config{htmlscrubber_skip} &&
  52. length $config{htmlscrubber_skip} &&
  53. exists $params{destpage} &&
  54. pagespec_match($params{destpage}, $config{htmlscrubber_skip})) {
  55. return $params{content};
  56. }
  57. return scrubber()->scrub($params{content});
  58. }
  59. my $_scrubber;
  60. sub scrubber {
  61. return $_scrubber if defined $_scrubber;
  62. eval q{use HTML::Scrubber};
  63. error($@) if $@;
  64. # Lists based on http://feedparser.org/docs/html-sanitization.html
  65. # With html5 tags added.
  66. $_scrubber = HTML::Scrubber->new(
  67. allow => [qw{
  68. a abbr acronym address area b big blockquote br br/
  69. button caption center cite code col colgroup dd del
  70. dfn dir div dl dt em fieldset font form h1 h2 h3 h4
  71. h5 h6 hr hr/ i img input ins kbd label legend li map
  72. menu ol optgroup option p p/ pre q s samp select small
  73. span strike strong sub sup table tbody td textarea
  74. tfoot th thead tr tt u ul var
  75. video audio source section nav article aside hgroup
  76. header footer figure figcaption time mark canvas
  77. datalist progress meter ruby rt rp details summary
  78. }],
  79. default => [undef, { (
  80. map { $_ => 1 } qw{
  81. abbr accept accept-charset accesskey
  82. align alt axis border cellpadding cellspacing
  83. char charoff charset checked class
  84. clear cols colspan color compact coords
  85. datetime dir disabled enctype for frame
  86. headers height hreflang hspace id ismap
  87. label lang maxlength media method
  88. multiple name nohref noshade nowrap prompt
  89. readonly rel rev rows rowspan rules scope
  90. selected shape size span start summary
  91. tabindex target title type valign
  92. value vspace width
  93. autofocus autoplay preload loopstart
  94. loopend end playcount controls pubdate
  95. placeholder min max step low high optimum
  96. form required autocomplete novalidate pattern
  97. list formenctype formmethod formnovalidate
  98. formtarget reversed spellcheck open hidden
  99. } ),
  100. "/" => 1, # emit proper <hr /> XHTML
  101. href => $safe_url_regexp,
  102. src => $safe_url_regexp,
  103. action => $safe_url_regexp,
  104. formaction => $safe_url_regexp,
  105. cite => $safe_url_regexp,
  106. longdesc => $safe_url_regexp,
  107. poster => $safe_url_regexp,
  108. usemap => $safe_url_regexp,
  109. }],
  110. );
  111. return $_scrubber;
  112. }
  113. 1