From d5e35d2861b2cf958fdf3613ffbb2ef88a8e725e Mon Sep 17 00:00:00 2001 From: Jacques Distler Date: Sat, 10 Oct 2009 02:44:44 -0500 Subject: [PATCH] Some more Sanitizer tweaks Mostly stylistic things, but allow some constants to be defined by the calling program. --- lib/sanitizer.rb | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/lib/sanitizer.rb b/lib/sanitizer.rb index 63eeb625..8537fed2 100644 --- a/lib/sanitizer.rb +++ b/lib/sanitizer.rb @@ -70,10 +70,10 @@ module Sanitizer attr_val_is_uri = Set.new %w[href src cite action longdesc xlink:href xml:base] - SVG_ATTR_VAL_ALLOWS_REF = Set.new %w[clip-path color-profile cursor fill + svg_attr_val_allows_ref = Set.new %w[clip-path color-profile cursor fill filter marker marker-start marker-mid marker-end mask stroke] - SVG_ALLOW_LOCAL_HREF = Set.new %w[altGlyph animate animateColor animateMotion + svg_allow_local_href = Set.new %w[altGlyph animate animateColor animateMotion animateTransform cursor feImage filter linearGradient pattern radialGradient textpath tref set use] @@ -99,6 +99,7 @@ module Sanitizer acceptable_protocols = Set.new %w[ed2k ftp http https irc mailto news gopher nntp telnet webcal xmpp callto feed urn aim rsync tag ssh sftp rtsp afs] + SHORTHAND_CSS_PROPERTIES = Set.new %w[background border margin padding] VOID_ELEMENTS = Set.new %w[img br hr link meta area base basefont col frame input isindex param] @@ -109,11 +110,13 @@ module Sanitizer ALLOWED_SVG_PROPERTIES = acceptable_svg_properties unless defined?(ALLOWED_SVG_PROPERTIES) ALLOWED_PROTOCOLS = acceptable_protocols unless defined?(ALLOWED_PROTOCOLS) ATTR_VAL_IS_URI = attr_val_is_uri unless defined?(ATTR_VAL_IS_URI) + SVG_ATTR_VAL_ALLOWS_REF = svg_attr_val_allows_ref unless defined?(SVG_ATTR_VAL_ALLOWS_REF) + SVG_ALLOW_LOCAL_HREF = svg_allow_local_href unless defined?(SVG_ALLOW_LOCAL_HREF) # Sanitize the +html+, escaping all elements not in ALLOWED_ELEMENTS, and stripping out all # attributes not in ALLOWED_ATTRIBUTES. Style attributes are parsed, and a restricted set, # specified by ALLOWED_CSS_PROPERTIES and ALLOWED_CSS_KEYWORDS, are allowed through. - # Attributes in ATTR_VAL_IS_URI are scanned, and only URI schemes specified in + # Attributes in ATTR_VAL_IS_URI are scanned, and only uri schemes specified in # ALLOWED_PROTOCOLS are allowed. # Certain SVG attributes (SVG_ATTR_VAL_ALLOWS_REF) may take a url as a value. These are restricted to # fragment-id's (in-document references). Certain SVG elements (SVG_ALLOW_LOCAL_HREF) allow href attributes @@ -135,7 +138,7 @@ module Sanitizer results << case node.tag? when true if ALLOWED_ELEMENTS.include?(node.name) - process_attributes_for(node) + process_attributes_for node node.to_s else node.to_s.gsub(//, ">") @@ -191,7 +194,7 @@ module Sanitizer prop.downcase! if self.class.const_get("ALLOWED_CSS_PROPERTIES").include?(prop) clean << "#{prop}: #{val};" - elsif %w[background border margin padding].include?(prop.split('-')[0]) + elsif self.class.const_get("SHORTHAND_CSS_PROPERTIES").include?(prop.split('-')[0]) clean << "#{prop}: #{val};" unless val.split().any? do |keyword| !self.class.const_get("ALLOWED_CSS_KEYWORDS").include?(keyword) and keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/ @@ -201,6 +204,6 @@ module Sanitizer end end - style = clean.join(' ') + clean.join(' ') end end