instiki/lib/sanitize.rb

module Sanitize

# This module provides sanitization of XHTML+MathML+SVG 
# and of inline style attributes.
#
# Uses the HTML5lib parser, so that the parsing behaviour should
# resemble that of browsers.
#
#  sanitize_xhtml() is a case-sensitive sanitizer, suitable for XHTML
#  sanitize_html() is a case-insensitive sanitizer suitable for HTML
#  sanitize_rexml() sanitized a REXML tree, returning a string


  require 'html5lib/html5parser'
  require 'html5lib/liberalxmlparser'
  require 'html5lib/treewalkers'
  require 'html5lib/treebuilders'
  require 'html5lib/serializer'
  require 'string_utils'
  require 'html5lib/sanitizer'

  include HTML5lib

# Sanitize a string, parsed using XHTML parsing rules.
#
# :call-seq:
#    sanitize_xhtml(string)                    -> string
#    sanitize_xhtml(string, {:encoding => 'iso-8859-1', :to_tree => true}) -> REXML::Document
#
# Unless otherwise specified, the string is assumed to be utf-8 encoded.
# By default, the output is a string. But, optionally, you can return a REXML tree.
  def sanitize_xhtml(html, options = {})
    @encoding = 'utf-8'
    @treebuilder = TreeBuilders::REXML::TreeBuilder
    @to_tree = false
    options.each do |name, value|
      next unless %w(encoding treebuilder to_tree).include? name.to_s
      if name.to_s == 'treebuilder'
        @treebuilder =  HTML5lib::TreeBuilders.getTreeBuilder(value)
      else
        instance_variable_set("@#{name}", value)
      end
    end
    parsed = XHTMLParser.parseFragment(html.to_ncr, {:tokenizer => HTMLSanitizer,
      :encoding => @encoding, :tree => @treebuilder })
    return parsed if @to_tree
    return parsed.to_s
  end

# Sanitize a string, parsed using HTML parsing rules.
#
# :call-seq:
#    sanitize_html(string)                    -> string
#    sanitize_html(string, {:encoding => 'iso-8859-1', :to_tree => true}) -> REXML::Document
#
# Unless otherwise specified, the string is assumed to be utf-8 encoded.
# By default, the output is a string. But, optionally, you can return a REXML tree.
  def sanitize_html(html, options = {})
    @encoding = 'utf-8'
    @treebuilder = TreeBuilders::REXML::TreeBuilder
    @to_tree = false
    options.each do |name, value|
      next unless %w(encoding treebuilder to_tree).include? name.to_s
      if name.to_s == 'treebuilder'
        @treebuilder =  HTML5lib::TreeBuilders.getTreeBuilder(value)
      else
        instance_variable_set("@#{name}", value)
      end
    end
    parsed = HTMLParser.parseFragment(html.to_ncr, {:tokenizer => HTMLSanitizer,
      :encoding => @encoding, :tree => @treebuilder })
    return parsed if @to_tree
    return parsed.to_s
  end

# Sanitize a REXML tree. The output is a string.
#
# :call-seq:
#    sanitize_rexml(tree)                    -> string
#
  def sanitize_rexml(tree)
    tokens = TreeWalkers.getTreeWalker('rexml').new(tree.to_ncr)
    HTMLSerializer.serialize(tokens, {:encoding=>'utf-8',
      :quote_attr_values => true,
      :minimize_boolean_attributes => false,
      :use_trailing_solidus => true,
      :space_before_trailing_solidus => true,
      :omit_optional_tags => false,
      :inject_meta_charset => false,
      :sanitize => true})
  end
end
Finally! XSS-protection, done right. If you want something done right, ... 2007-02-22 08:06:53 +01:00			`module Sanitize`

HTML5lib is Back. Synced with latest version of HTML5lib, which fixes problem with Astral plane characters. I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer. 2007-05-30 17:45:52 +02:00			`# This module provides sanitization of XHTML+MathML+SVG`
Finally! XSS-protection, done right. If you want something done right, ... 2007-02-22 08:06:53 +01:00			`# and of inline style attributes.`
			`#`
HTML5lib is Back. Synced with latest version of HTML5lib, which fixes problem with Astral plane characters. I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer. 2007-05-30 17:45:52 +02:00			`# Uses the HTML5lib parser, so that the parsing behaviour should`
			`# resemble that of browsers.`
			`#`
			`# sanitize_xhtml() is a case-sensitive sanitizer, suitable for XHTML`
			`# sanitize_html() is a case-insensitive sanitizer suitable for HTML`
REXML Trees Synced with latest HTML5lib. Added preliminary support (currently disabled) for sanitizing REXML trees. 2007-06-05 23:34:49 +02:00			`# sanitize_rexml() sanitized a REXML tree, returning a string`
Finally! XSS-protection, done right. If you want something done right, ... 2007-02-22 08:06:53 +01:00

HTML5lib is Back. Synced with latest version of HTML5lib, which fixes problem with Astral plane characters. I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer. 2007-05-30 17:45:52 +02:00			`require 'html5lib/html5parser'`
			`require 'html5lib/liberalxmlparser'`
REXML Trees Synced with latest HTML5lib. Added preliminary support (currently disabled) for sanitizing REXML trees. 2007-06-05 23:34:49 +02:00			`require 'html5lib/treewalkers'`
Enhancements to sanitize.rb Options, options, ... options. 2007-06-08 08:23:09 +02:00			`require 'html5lib/treebuilders'`
REXML Trees Synced with latest HTML5lib. Added preliminary support (currently disabled) for sanitizing REXML trees. 2007-06-05 23:34:49 +02:00			`require 'html5lib/serializer'`
			`require 'string_utils'`
			`require 'html5lib/sanitizer'`

HTML5lib is Back. Synced with latest version of HTML5lib, which fixes problem with Astral plane characters. I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer. 2007-05-30 17:45:52 +02:00			`include HTML5lib`
Finally! XSS-protection, done right. If you want something done right, ... 2007-02-22 08:06:53 +01:00
Enhancements to sanitize.rb Options, options, ... options. 2007-06-08 08:23:09 +02:00			`# Sanitize a string, parsed using XHTML parsing rules.`
			`#`
			`# :call-seq:`
			`# sanitize_xhtml(string) -> string`
			`# sanitize_xhtml(string, {:encoding => 'iso-8859-1', :to_tree => true}) -> REXML::Document`
			`#`
			`# Unless otherwise specified, the string is assumed to be utf-8 encoded.`
			`# By default, the output is a string. But, optionally, you can return a REXML tree.`
			`def sanitize_xhtml(html, options = {})`
			`@encoding = 'utf-8'`
			`@treebuilder = TreeBuilders::REXML::TreeBuilder`
			`@to_tree = false`
			`options.each do \|name, value\|`
			`next unless %w(encoding treebuilder to_tree).include? name.to_s`
			`if name.to_s == 'treebuilder'`
			`@treebuilder = HTML5lib::TreeBuilders.getTreeBuilder(value)`
			`else`
			`instance_variable_set("@#{name}", value)`
			`end`
			`end`
			`parsed = XHTMLParser.parseFragment(html.to_ncr, {:tokenizer => HTMLSanitizer,`
			`:encoding => @encoding, :tree => @treebuilder })`
			`return parsed if @to_tree`
			`return parsed.to_s`
HTML5lib is Back. Synced with latest version of HTML5lib, which fixes problem with Astral plane characters. I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer. 2007-05-30 17:45:52 +02:00			`end`
Finally! XSS-protection, done right. If you want something done right, ... 2007-02-22 08:06:53 +01:00
Enhancements to sanitize.rb Options, options, ... options. 2007-06-08 08:23:09 +02:00			`# Sanitize a string, parsed using HTML parsing rules.`
			`#`
			`# :call-seq:`
			`# sanitize_html(string) -> string`
			`# sanitize_html(string, {:encoding => 'iso-8859-1', :to_tree => true}) -> REXML::Document`
			`#`
			`# Unless otherwise specified, the string is assumed to be utf-8 encoded.`
			`# By default, the output is a string. But, optionally, you can return a REXML tree.`
			`def sanitize_html(html, options = {})`
			`@encoding = 'utf-8'`
			`@treebuilder = TreeBuilders::REXML::TreeBuilder`
			`@to_tree = false`
			`options.each do \|name, value\|`
			`next unless %w(encoding treebuilder to_tree).include? name.to_s`
			`if name.to_s == 'treebuilder'`
			`@treebuilder = HTML5lib::TreeBuilders.getTreeBuilder(value)`
			`else`
			`instance_variable_set("@#{name}", value)`
			`end`
			`end`
			`parsed = HTMLParser.parseFragment(html.to_ncr, {:tokenizer => HTMLSanitizer,`
			`:encoding => @encoding, :tree => @treebuilder })`
			`return parsed if @to_tree`
			`return parsed.to_s`
HTML5lib is Back. Synced with latest version of HTML5lib, which fixes problem with Astral plane characters. I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer. 2007-05-30 17:45:52 +02:00			`end`
Finally! XSS-protection, done right. If you want something done right, ... 2007-02-22 08:06:53 +01:00
Enhancements to sanitize.rb Options, options, ... options. 2007-06-08 08:23:09 +02:00			`# Sanitize a REXML tree. The output is a string.`
			`#`
			`# :call-seq:`
			`# sanitize_rexml(tree) -> string`
			`#`
REXML Trees Synced with latest HTML5lib. Added preliminary support (currently disabled) for sanitizing REXML trees. 2007-06-05 23:34:49 +02:00			`def sanitize_rexml(tree)`
			`tokens = TreeWalkers.getTreeWalker('rexml').new(tree.to_ncr)`
			`HTMLSerializer.serialize(tokens, {:encoding=>'utf-8',`
Bugfix Me stoopid. 2007-06-06 01:06:26 +02:00			`:quote_attr_values => true,`
			`:minimize_boolean_attributes => false,`
			`:use_trailing_solidus => true,`
			`:space_before_trailing_solidus => true,`
			`:omit_optional_tags => false,`
			`:inject_meta_charset => false,`
			`:sanitize => true})`
REXML Trees Synced with latest HTML5lib. Added preliminary support (currently disabled) for sanitizing REXML trees. 2007-06-05 23:34:49 +02:00			`end`
HTML5lib is Back. Synced with latest version of HTML5lib, which fixes problem with Astral plane characters. I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer. 2007-05-30 17:45:52 +02:00			`end`