instiki/lib/sanitize.rb

module Sanitize

# This module provides sanitization of XHTML+MathML+SVG 
# and of inline style attributes.
#
# Uses the HTML5lib parser, so that the parsing behaviour should
# resemble that of browsers.
#
#  sanitize_xhtml() is a case-sensitive sanitizer, suitable for XHTML
#  sanitize_html() is a case-insensitive sanitizer suitable for HTML
#  sanitize_rexml() sanitized a REXML tree, returning a string


  require 'html5lib/html5parser'
  require 'html5lib/liberalxmlparser'

  require 'html5lib/treewalkers'
  require 'html5lib/serializer'
  require 'string_utils'
  require 'html5lib/sanitizer'

  include HTML5lib

  def sanitize_xhtml(html)
    XHTMLParser.parseFragment(html.to_ncr, :tokenizer => HTMLSanitizer).to_s
  end

  def sanitize_html(html)
    HTMLParser.parseFragment(html, :tokenizer => HTMLSanitizer).to_s
  end

  def sanitize_rexml(tree)
    tokens = TreeWalkers.getTreeWalker('rexml').new(tree.to_ncr)
    HTMLSerializer.serialize(tokens, {:encoding=>'utf-8',
      :quote_attr_values => true,
      :minimize_boolean_attributes => false,
      :use_trailing_solidus => true,
      :space_before_trailing_solidus => true,
      :omit_optional_tags => false,
      :inject_meta_charset => false,
      :sanitize => true})
  end
end
Finally! XSS-protection, done right. If you want something done right, ... 2007-02-22 08:06:53 +01:00			`module Sanitize`

HTML5lib is Back. Synced with latest version of HTML5lib, which fixes problem with Astral plane characters. I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer. 2007-05-30 17:45:52 +02:00			`# This module provides sanitization of XHTML+MathML+SVG`
Finally! XSS-protection, done right. If you want something done right, ... 2007-02-22 08:06:53 +01:00			`# and of inline style attributes.`
			`#`
HTML5lib is Back. Synced with latest version of HTML5lib, which fixes problem with Astral plane characters. I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer. 2007-05-30 17:45:52 +02:00			`# Uses the HTML5lib parser, so that the parsing behaviour should`
			`# resemble that of browsers.`
			`#`
			`# sanitize_xhtml() is a case-sensitive sanitizer, suitable for XHTML`
			`# sanitize_html() is a case-insensitive sanitizer suitable for HTML`
REXML Trees Synced with latest HTML5lib. Added preliminary support (currently disabled) for sanitizing REXML trees. 2007-06-05 23:34:49 +02:00			`# sanitize_rexml() sanitized a REXML tree, returning a string`
Finally! XSS-protection, done right. If you want something done right, ... 2007-02-22 08:06:53 +01:00

HTML5lib is Back. Synced with latest version of HTML5lib, which fixes problem with Astral plane characters. I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer. 2007-05-30 17:45:52 +02:00			`require 'html5lib/html5parser'`
			`require 'html5lib/liberalxmlparser'`
REXML Trees Synced with latest HTML5lib. Added preliminary support (currently disabled) for sanitizing REXML trees. 2007-06-05 23:34:49 +02:00
			`require 'html5lib/treewalkers'`
			`require 'html5lib/serializer'`
			`require 'string_utils'`
			`require 'html5lib/sanitizer'`

HTML5lib is Back. Synced with latest version of HTML5lib, which fixes problem with Astral plane characters. I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer. 2007-05-30 17:45:52 +02:00			`include HTML5lib`
Finally! XSS-protection, done right. If you want something done right, ... 2007-02-22 08:06:53 +01:00
HTML5lib is Back. Synced with latest version of HTML5lib, which fixes problem with Astral plane characters. I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer. 2007-05-30 17:45:52 +02:00			`def sanitize_xhtml(html)`
REXML Trees Synced with latest HTML5lib. Added preliminary support (currently disabled) for sanitizing REXML trees. 2007-06-05 23:34:49 +02:00			`XHTMLParser.parseFragment(html.to_ncr, :tokenizer => HTMLSanitizer).to_s`
HTML5lib is Back. Synced with latest version of HTML5lib, which fixes problem with Astral plane characters. I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer. 2007-05-30 17:45:52 +02:00			`end`
Finally! XSS-protection, done right. If you want something done right, ... 2007-02-22 08:06:53 +01:00
HTML5lib is Back. Synced with latest version of HTML5lib, which fixes problem with Astral plane characters. I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer. 2007-05-30 17:45:52 +02:00			`def sanitize_html(html)`
			`HTMLParser.parseFragment(html, :tokenizer => HTMLSanitizer).to_s`
			`end`
Finally! XSS-protection, done right. If you want something done right, ... 2007-02-22 08:06:53 +01:00
REXML Trees Synced with latest HTML5lib. Added preliminary support (currently disabled) for sanitizing REXML trees. 2007-06-05 23:34:49 +02:00			`def sanitize_rexml(tree)`
			`tokens = TreeWalkers.getTreeWalker('rexml').new(tree.to_ncr)`
			`HTMLSerializer.serialize(tokens, {:encoding=>'utf-8',`
Bugfix Me stoopid. 2007-06-06 01:06:26 +02:00			`:quote_attr_values => true,`
			`:minimize_boolean_attributes => false,`
			`:use_trailing_solidus => true,`
			`:space_before_trailing_solidus => true,`
			`:omit_optional_tags => false,`
			`:inject_meta_charset => false,`
			`:sanitize => true})`
REXML Trees Synced with latest HTML5lib. Added preliminary support (currently disabled) for sanitizing REXML trees. 2007-06-05 23:34:49 +02:00			`end`
HTML5lib is Back. Synced with latest version of HTML5lib, which fixes problem with Astral plane characters. I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer. 2007-05-30 17:45:52 +02:00			`end`