summaryrefslogtreecommitdiff
path: root/IkiWiki/Plugin/htmlscrubber.pm
blob: ee284a45c3e46815f47a9001e1badb45adacdb6c (plain) 
    

  1. #!/usr/bin/perl
    2. 

  2. package IkiWiki::Plugin::htmlscrubber;
    3. 

  3. 

  4. use warnings;
    5. 

  5. use strict;
    6. 

  6. use IkiWiki 3.00;
    7. 

  7. 

  8. # This regexp matches urls that are in a known safe scheme.
    9. 

  9. # Feel free to use it from other plugins.
    10. 

  10. our $safe_url_regexp;
    11. 

  11. 

  12. sub import {
    13. 

  13.     hook(type => "getsetup", id => "htmlscrubber", call => \&getsetup);
    14. 

  14.     hook(type => "sanitize", id => "htmlscrubber", call => \&sanitize);
    15. 

  15. 

  16.     # Only known uri schemes are allowed to avoid all the ways of
    17. 

  17.     # embedding javascrpt.
    18. 

  18.     # List at http://en.wikipedia.org/wiki/URI_scheme
    19. 

  19.     my $uri_schemes=join("|", map quotemeta,
    20. 

  20.         # IANA registered schemes
    21. 

  21.         "http", "https", "ftp", "mailto", "file", "telnet", "gopher",
    22. 

  22.         "aaa", "aaas", "acap",  "cap", "cid", "crid", 
    23. 

  23.         "dav", "dict", "dns", "fax", "go", "h323", "im", "imap",
    24. 

  24.         "ldap", "mid", "news", "nfs", "nntp", "pop", "pres",
    25. 

  25.         "sip", "sips", "snmp", "tel", "urn", "wais", "xmpp",
    26. 

  26.         "z39.50r", "z39.50s",
    27. 

  27.         # Selected unofficial schemes
    28. 

  28.         "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg",
    29. 

  29.         "irc", "ircs", "lastfm", "ldaps", "magnet", "mms",
    30. 

  30.         "msnim", "notes", "rsync", "secondlife", "skype", "ssh",
    31. 

  31.         "sftp", "smb", "sms", "snews", "webcal", "ymsgr",
    32. 

  32.     );
    33. 

  33.     # data is a special case. Allow data:image/*, but
    34. 

  34.     # disallow data:text/javascript and everything else.
    35. 

  35.     $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i;
    36. 

  36. }
    37. 

  37. 

  38. sub getsetup () {
    39. 

  39.     return
    40. 

  40.         plugin => {
    41. 

  41.             safe => 1,
    42. 

  42.             rebuild => undef,
    43. 

  43.             section => "core",
    44. 

  44.         },
    45. 

  45.         htmlscrubber_skip => {
    46. 

  46.             type => "pagespec",
    47. 

  47.             example => "!*/Discussion",
    48. 

  48.             description => "PageSpec specifying pages not to scrub",
    49. 

  49.             link => "ikiwiki/PageSpec",
    50. 

  50.             safe => 1,
    51. 

  51.             rebuild => undef,
    52. 

  52.         },
    53. 

  53. }
    54. 

  54. 

  55. sub sanitize (@) {
    56. 

  56.     my %params=@_;
    57. 

  57. 

  58.     if (exists $config{htmlscrubber_skip} &&
    59. 

  59.         length $config{htmlscrubber_skip} &&
    60. 

  60.         exists $params{destpage} &&
    61. 

  61.         pagespec_match($params{destpage}, $config{htmlscrubber_skip})) {
    62. 

  62.         return $params{content};
    63. 

  63.     }
    64. 

  64. 

  65.     return scrubber()->scrub($params{content});
    66. 

  66. }
    67. 

  67. 

  68. my $_scrubber;
    69. 

  69. sub scrubber {
    70. 

  70.     return $_scrubber if defined $_scrubber;
    71. 

  71. 

  72.     eval q{use HTML::Scrubber};
    73. 

  73.     error($@) if $@;
    74. 

  74.     # Lists based on http://feedparser.org/docs/html-sanitization.html
    75. 

  75.     # With html 5 video and audio tags added.
    76. 

  76.     $_scrubber = HTML::Scrubber->new(
    77. 

  77.         allow => [qw{
    78. 

  78.             a abbr acronym address area b big blockquote br br/
    79. 

  79.             button caption center cite code col colgroup dd del
    80. 

  80.             dfn dir div dl dt em fieldset font form h1 h2 h3 h4
    81. 

  81.             h5 h6 hr hr/ i img input ins kbd label legend li map
    82. 

  82.             menu ol optgroup option p p/ pre q s samp select small
    83. 

  83.             span strike strong sub sup table tbody td textarea
    84. 

  84.             tfoot th thead tr tt u ul var
    85. 

  85.             video audio
    86. 

  86.         }],
    87. 

  87.         default => [undef, { (
    88. 

  88.             map { $_ => 1 } qw{
    89. 

  89.                 abbr accept accept-charset accesskey
    90. 

  90.                 align alt axis border cellpadding cellspacing
    91. 

  91.                 char charoff charset checked class
    92. 

  92.                 clear cols colspan color compact coords
    93. 

  93.                 datetime dir disabled enctype for frame
    94. 

  94.                 headers height hreflang hspace id ismap
    95. 

  95.                 label lang maxlength media method
    96. 

  96.                 multiple name nohref noshade nowrap prompt
    97. 

  97.                 readonly rel rev rows rowspan rules scope
    98. 

  98.                 selected shape size span start summary
    99. 

  99.                 tabindex target title type valign
    100. 

  100.                 value vspace width
    101. 

  101.                 autoplay loopstart loopend end
    102. 

  102.                 playcount controls 
    103. 

  103.             } ),
    104. 

  104.             "/" => 1, # emit proper <hr /> XHTML
    105. 

  105.             href => $safe_url_regexp,
    106. 

  106.             src => $safe_url_regexp,
    107. 

  107.             action => $safe_url_regexp,
    108. 

  108.             cite => $safe_url_regexp,
    109. 

  109.             longdesc => $safe_url_regexp,
    110. 

  110.             poster => $safe_url_regexp,
    111. 

  111.             usemap => $safe_url_regexp,
    112. 

  112.         }],
    113. 

  113.     );
    114. 

  114.     return $_scrubber;
    115. 

  115. }
    116. 

  116. 

  117. 1
    118.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-30 03:41:41 +0000