Commit graph

17 commits

Author SHA1 Message Date
Jacques Distler
a6429f8c22 Ruby 1.9 Compatibility
Completely removed the html5lib sanitizer.
Fixed the string-handling to work in both
Ruby 1.8.x and 1.9.2. There are still,
inexplicably, two functional tests that
fail. But the rest seems to work quite well.
2009-11-30 16:28:18 -06:00
Jacques Distler
d5e35d2861 Some more Sanitizer tweaks
Mostly stylistic things, but allow some constants to be defined by the calling program.
2009-10-10 02:44:44 -05:00
Jacques Distler
d14db51d9e More Sanitizer Refactoring
Make the Sanitizer more efficient.
Also, update some unit tests.
2009-10-09 23:18:17 -05:00
Jacques Distler
9b7071d190 Update Sanitizer Docs
They were a bit out-of-sync with what the sanitizer
actually does.
2009-10-09 14:02:07 -05:00
Jacques Distler
e7b77dd3d3 Sanitizer Refactoring
A bit of cleanup for the Sanitizer.
2009-10-09 13:02:02 -05:00
Jacques Distler
2f3ff9f651 Efficiency
There's a moderate efficiency gain to be had by
using Set#include?, rather than Array#include?
in the sanitizer.
2009-10-08 16:22:50 -05:00
Jacques Distler
681065631c Add Support for SVG Clipping Paths
Add support in the sanitizer for <clipPath>, @clip-path and @clip-rule.
Suggested by Andrew Stacey.
2009-05-07 16:53:56 -05:00
Jacques Distler
c7418af48d Support for HTML5 <audio>
As with <video>,

   [[foo.wav:audio]]

works now, producing an HTML5 <audio> element.
2009-03-03 12:17:14 -06:00
Jacques Distler
8ea8b6a8f7 <video> and x-sendfile
Using <object> and <embed> were forbidden for obvious
security reasons. Instiki now permits embedding video
via the HTML5 <video> element (Ogg/Theora encoded videos
only, with .ogg or .ogv extensions). You can even upload
videos with

    [[foo.ogg:video]]

Instiki now support x-sendfile. See the Proxying page for
configuring Apache (with the x-sendfile module). Lighttpd
should work similarly.

Update Rails to latest Edge (hopefully converging on RC2!).
2009-03-02 02:32:25 -06:00
Jacques Distler
4e14ccc74d Instiki 0.16.3: Rails 2.3.0
Instiki now runs on the Rails 2.3.0 Candidate Release.
Among other improvements, this means that it now 
automagically selects between WEBrick and Mongrel.

Just run

    ./instiki --daemon
2009-02-04 14:26:08 -06:00
Jacques Distler
52c1f74ecc Add a couple of XSS tests.
Some more tests from Clint Ruoho. The main branch of Instiki (and, I guess,
the old sanitizer) are vulnerable.

Also: under Ruby 1.8.x, CGI.unescapeHTML screws up horribly decoding NCRs
which represent high-bit ASCII characters. UTF-8 agrees with 7-bit ASCII,
but CGI.unescapeHTML doesn't seem to know that they disagree for i>127.
2009-01-05 16:25:27 -06:00
Jacques Distler
5d7d89d193 Fix Slowdown in Sanitizer Regexp
Deal with the issue:

   http://code.google.com/p/html5lib/issues/detail?id=83

by fixing a regexp used for sanitizing inline style attributes.
2008-12-09 08:54:35 -06:00
Jacques Distler
e1c7d035c9 Some more SVG attributes for the sanitizer
From Sam Ruby.
2008-07-28 10:57:55 -05:00
Jacques Distler
c427807274 Blahtex
Sync with latest Maruku.
Pave the way for Blahtex (PNG-based math) support (from Ari Stern).
   (no visible functionality, yet, but that will come)
2008-07-26 04:14:41 -05:00
Jacques Distler
f6508de6dd Whoops!
In some circumstances, the new Sanitizer was double-escaping text nodes.
Fixed (with unit test).
2008-05-21 14:14:43 -05:00
Jacques Distler
45405fc97e New Sanitizer Goes Live
The new sanitizer seems to work well (cuts the time required
to produce the Instiki Atom feed in half). Our strategy is to
use HTML5lib for <nowiki> content, but to use the new sanitizer
for content that has been processed by Maruku (and hence is
well-formed).

The one broken unit test won't affect us (since it dealt with
very malformed HTML).
2008-05-21 02:06:31 -05:00
Jacques Distler
800880f382 Rough In New Sanitizer
Start work (which may not pan out) on a new sanitizer. Right now, it passes
all but 1 of the HTML5lib Sanitizer's unit tests. But it doesn't do much
of anything to ensure well-formedness. This is not an issue for Maruku-processed
content, but it is a concern for <nowiki> blocks.

(One solution would be to use the HTML5lib parser on <nowiki> blocks.)

In any case, this baby is 3 times as fast as the HTML5lib sanitizer.
2008-05-20 17:02:10 -05:00