deac/instiki
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
356 commits 3 branches 18 tags 34 MiB
Commit graph

9 commits

Author SHA1 Message Date
Jacques Distler 52c1f74ecc Add a couple of XSS tests. 
Some more tests from Clint Ruoho. The main branch of Instiki (and, I guess,
the old sanitizer) are vulnerable.

Also: under Ruby 1.8.x, CGI.unescapeHTML screws up horribly decoding NCRs
which represent high-bit ASCII characters. UTF-8 agrees with 7-bit ASCII,
but CGI.unescapeHTML doesn't seem to know that they disagree for i>127.
 2009-01-05 16:25:27 -06:00
Jacques Distler 0f6889e09f Fix Unicode bug 
Fix Diego Restrepo's bug (see Rev 184).
Update to latest HTML5lib.
 2007-12-17 03:17:43 -06:00
Jacques Distler eca126f589 Sanitize <svg:image> 
This element is unsafe.
 2007-10-29 13:51:41 -05:00
Jacques Distler f24c60c3fb Better handling of SVG attributes which admit uri refs 
Just strip out the URI ref, leaving alternates.
 2007-10-27 23:08:13 -05:00
Jacques Distler 5208bbf0af Sanitize url refs in SVG attributes 
Add some tests.
Sync with latest HTML5lib (includes above sanitization improvements).
 2007-10-27 17:34:29 -05:00
Jacques Distler ed68d975df Update to latest HTML5lib 
Fix that Tokenizer bug for real this time.
 2007-09-09 22:26:19 -05:00
Jacques Distler 5b182bd228 HTML5lib Bug 
Fixed a bug in the HTML5lib tokenizer (affects S5 slideshows).
Some miscellaneous code cleanup. In particular, don't bother with zapping control characters;
instead, rely on is_utf8? method to raise an exception (which we do anyway).
 2007-09-06 10:40:48 -05:00
Jacques Distler 8e92e4a3ab Sync with latest HTML5lib 2007-06-22 03:12:08 -05:00
Jacques Distler 0ddd422059 Sync with latest HTML5lib 2007-06-11 23:33:06 -05:00