deac/instiki
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

More SVG Sanitization

Browse source
This commit is contained in:
Jacques Distler 2007-10-31 01:00:45 -05:00
parent eca126f589
commit 70025a4ba3
2 changed files with 40 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
vendor/plugins/HTML5lib/lib/html5/sanitizer.rb vendored
View file

@ -78,8 +78,12 @@ module HTML5
ATTR_VAL_IS_URI = %w[href src cite action longdesc xlink:href xml:base] ATTR_VAL_IS_URI = %w[href src cite action longdesc xlink:href xml:base]
SVG_ATTR_VAL_ALLOWS_REF = %w[clip-path fill filter marker marker-start SVG_ATTR_VAL_ALLOWS_REF = %w[clip-path color-profile cursor fill
marker-mid marker-end mask stroke textpath] filter marker marker-start marker-mid marker-end mask stroke]
SVG_ALLOW_LOCAL_HREF = %w[altGlyph animate animateColor animateMotion
animateTransform cursor feImage filter linearGradient pattern
radialGradient textpath tref set use]
ACCEPTABLE_CSS_PROPERTIES = %w[azimuth background-color ACCEPTABLE_CSS_PROPERTIES = %w[azimuth background-color
border-bottom-color border-collapse border-color border-left-color border-bottom-color border-collapse border-color border-left-color
@ -127,6 +131,9 @@ module HTML5
SVG_ATTR_VAL_ALLOWS_REF.each do |attr| SVG_ATTR_VAL_ALLOWS_REF.each do |attr|
attrs[attr] = attrs[attr].to_s.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attrs[attr] attrs[attr] = attrs[attr].to_s.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attrs[attr]
end end
if SVG_ALLOW_LOCAL_HREF.include?(token[:name]) && attrs['xlink:href'] && attrs['xlink:href'] =~ /^\s*[^#\s].*/m
attrs.delete 'xlink:href'
end
if attrs['style'] if attrs['style']
attrs['style'] = sanitize_css(attrs['style']) attrs['style'] = sanitize_css(attrs['style'])
end end

31
vendor/plugins/HTML5lib/tests/test_sanitizer.rb vendored
View file

@ -110,6 +110,37 @@ class SanitizeTest < Test::Unit::TestCase
end end
end end
HTMLSanitizer::SVG_ALLOW_LOCAL_HREF.each do |tag_name|
next unless HTMLSanitizer::ALLOWED_ELEMENTS.include?(tag_name)
define_method "test_#{tag_name}_should_allow_local_href" do
input = %(<#{tag_name} xlink:href="#foo"/>)
output = "<#{tag_name.downcase} xlink:href='#foo'/>"
xhtmloutput = "<#{tag_name} xlink:href='#foo'></#{tag_name}>"
check_sanitization(input, output, xhtmloutput, xhtmloutput)
end
define_method "test_#{tag_name}_should_allow_local_href_with_newline" do
input = %(<#{tag_name} xlink:href="\n#foo"/>)
output = "<#{tag_name.downcase} xlink:href='\n#foo'/>"
xhtmloutput = "<#{tag_name} xlink:href='\n#foo'></#{tag_name}>"
check_sanitization(input, output, xhtmloutput, xhtmloutput)
end
define_method "test_#{tag_name}_should_forbid_nonlocal_href" do
input = %(<#{tag_name} xlink:href="http://bad.com/foo"/>)
output = "<#{tag_name.downcase}/>"
xhtmloutput = "<#{tag_name}></#{tag_name}>"
check_sanitization(input, output, xhtmloutput, xhtmloutput)
end
define_method "test_#{tag_name}_should_forbid_nonlocal_href_with_newline" do
input = %(<#{tag_name} xlink:href="\nhttp://bad.com/foo"/>)
output = "<#{tag_name.downcase}/>"
xhtmloutput = "<#{tag_name}></#{tag_name}>"
check_sanitization(input, output, xhtmloutput, xhtmloutput)
end
end
def test_should_handle_astral_plane_characters def test_should_handle_astral_plane_characters
input = "<p>&#x1d4b5; &#x1d538;</p>" input = "<p>&#x1d4b5; &#x1d538;</p>"
output = "<p>\360\235\222\265 \360\235\224\270</p>" output = "<p>\360\235\222\265 \360\235\224\270</p>"