Jacques Distler
8ea8b6a8f7
<video> and x-sendfile
...
Using <object> and <embed> were forbidden for obvious
security reasons. Instiki now permits embedding video
via the HTML5 <video> element (Ogg/Theora encoded videos
only, with .ogg or .ogv extensions). You can even upload
videos with
[[foo.ogg:video]]
Instiki now support x-sendfile. See the Proxying page for
configuring Apache (with the x-sendfile module). Lighttpd
should work similarly.
Update Rails to latest Edge (hopefully converging on RC2!).
2009-03-02 02:32:25 -06:00
Jacques Distler
52c1f74ecc
Add a couple of XSS tests.
...
Some more tests from Clint Ruoho. The main branch of Instiki (and, I guess,
the old sanitizer) are vulnerable.
Also: under Ruby 1.8.x, CGI.unescapeHTML screws up horribly decoding NCRs
which represent high-bit ASCII characters. UTF-8 agrees with 7-bit ASCII,
but CGI.unescapeHTML doesn't seem to know that they disagree for i>127.
2009-01-05 16:25:27 -06:00
Jacques Distler
5d7d89d193
Fix Slowdown in Sanitizer Regexp
...
Deal with the issue:
http://code.google.com/p/html5lib/issues/detail?id=83
by fixing a regexp used for sanitizing inline style attributes.
2008-12-09 08:54:35 -06:00
Jacques Distler
11930dfabd
Update HTML5lib Sanitizer Test, Accordingly
2008-12-01 14:11:57 -06:00
Jacques Distler
e1c7d035c9
Some more SVG attributes for the sanitizer
...
From Sam Ruby.
2008-07-28 10:57:55 -05:00
Jacques Distler
c427807274
Blahtex
...
Sync with latest Maruku.
Pave the way for Blahtex (PNG-based math) support (from Ari Stern).
(no visible functionality, yet, but that will come)
2008-07-26 04:14:41 -05:00
Jacques Distler
5dd0507acc
Support svg:foreignObject
...
Fixes to the html5lib sanitizer and maruku to support the SVG <foreignObject> element.
Also update to the latest REXML.
2008-02-03 23:56:17 -06:00
Jacques Distler
5db9ddaf47
Fix Busted Functional Tests
...
Fix the functional tests busted by Revision 212.
Sync with latest HTML5lib.
2008-01-21 11:59:55 -06:00
Jacques Distler
1085168bbf
Update to latest HTML5lib, Add Maruku testdir
...
Sync with the latest html5lib.
Having the Maruku unit tests on-hand may be useful for debugging; so let's include them.
2008-01-08 00:01:35 -06:00
Jacques Distler
0f6889e09f
Fix Unicode bug
...
Fix Diego Restrepo's bug (see Rev 184).
Update to latest HTML5lib.
2007-12-17 03:17:43 -06:00
Jacques Distler
70025a4ba3
More SVG Sanitization
2007-10-31 01:00:45 -05:00
Jacques Distler
eca126f589
Sanitize <svg:image>
...
This element is unsafe.
2007-10-29 13:51:41 -05:00
Jacques Distler
f24c60c3fb
Better handling of SVG attributes which admit uri refs
...
Just strip out the URI ref, leaving alternates.
2007-10-27 23:08:13 -05:00
Jacques Distler
5208bbf0af
Sanitize url refs in SVG attributes
...
Add some tests.
Sync with latest HTML5lib (includes above sanitization improvements).
2007-10-27 17:34:29 -05:00
Jacques Distler
36f55fc9aa
Add support for the MathML <semantics> Element
2007-10-21 02:19:10 -05:00
Jacques Distler
55fdc9fff4
Sync with latest HTML5lib
2007-10-06 11:55:58 -05:00
Jacques Distler
ed68d975df
Update to latest HTML5lib
...
Fix that Tokenizer bug for real this time.
2007-09-09 22:26:19 -05:00
Jacques Distler
5b182bd228
HTML5lib Bug
...
Fixed a bug in the HTML5lib tokenizer (affects S5 slideshows).
Some miscellaneous code cleanup. In particular, don't bother with zapping control characters;
instead, rely on is_utf8? method to raise an exception (which we do anyway).
2007-09-06 10:40:48 -05:00
Jacques Distler
81d3cdc8e4
Minor S5 tweaks and Sync with Latest HTML5lib
2007-08-30 12:19:10 -05:00
Jacques Distler
1bc5da0053
Use XHTMLSerializer, where appropriate.
2007-07-04 18:53:03 -05:00
Jacques Distler
8ccaad85a5
Sync with latest HTML5lib and latest Maruku
2007-07-04 17:36:59 -05:00
Jacques Distler
8e92e4a3ab
Sync with latest HTML5lib
2007-06-22 03:12:08 -05:00
Jacques Distler
3de374d6c1
More fixes, sync with HTML5lib
...
Do a better job with the wrapper <div>s added by xhtmldiff and Maruku's to_html_tree method.
More tests fixed.
2007-06-13 23:05:15 -05:00
Jacques Distler
3ca33e52b5
Cleanup
...
Got rid of redcloth_for_tex.
Fixed almost all the busted tests.
2007-06-13 01:56:44 -05:00
Jacques Distler
2da672ec5b
Many Minor Fixes
...
Fixed a whole bunch of minor stuff.
Had a go at getting some of the plethora of broken tests to pass.
2007-06-12 17:37:55 -05:00
Jacques Distler
0ddd422059
Sync with latest HTML5lib
2007-06-11 23:33:06 -05:00
Jacques Distler
c2bfdefa57
Another XSS fix
...
Yet another interesting XSS attack from
http://ha.ckers.org/xss.html
2007-06-11 00:03:51 -05:00
Jacques Distler
aac197430c
More XSS vectors defanged
2007-06-10 15:07:26 -05:00
Jacques Distler
a6cbf38304
Table elements, too
...
Last fixup for the sanitizer tests.
2007-06-09 22:53:35 -05:00
Jacques Distler
6b2ec7354b
Rationalize Sanitizer Tests
2007-06-09 22:21:50 -05:00
Jacques Distler
3bf560c3b3
Updated to Latest HTML5lib
...
Synced with latest HTML5lib.
Added some RDoc-compatible documentation to the sanitizer.
2007-06-08 17:26:00 -05:00
Jacques Distler
86a7577975
Renamed one function.
2007-06-06 14:36:54 -05:00
Jacques Distler
0012efcfb4
Fixed Porting Error in HTML5lib Serializer
2007-06-06 08:44:57 -05:00
Jacques Distler
8846b2cda5
Sync with Latest HTML5lib
...
Some more tweaks
2007-06-06 08:12:03 -05:00
Jacques Distler
fd183eac04
More Tests
...
Put the Serializer version of the Sanitizer through its paces.
2007-06-06 00:56:43 -05:00
Jacques Distler
e1acebe6e4
Bugfix
...
Me stoopid.
2007-06-05 18:06:26 -05:00
Jacques Distler
bd8ba1f4b1
REXML Trees
...
Synced with latest HTML5lib.
Added preliminary support (currently disabled) for sanitizing REXML trees.
2007-06-05 16:34:49 -05:00
Jacques Distler
4dd70af5ae
HTML5lib is Back.
...
Synced with latest version of HTML5lib, which fixes problem with Astral plane characters.
I should really do some tests, but the HTML5lib Sanitizer seems to be 2-5 times slower than the old sanitizer.
2007-05-30 10:45:52 -05:00
Jacques Distler
6b21ac484f
HTML5lib Sanitizer
...
Replaced native Sanitizer with HTML5lib version.
Synced with latest Maruku.
2007-05-25 20:52:27 -05:00