Support for safe external scripts via explicit whitelist.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>

configdoc/usage.xml

@@ -209,14 +209,22 @@
    <line>228</line>
   </file>
  </directive>
- <directive id="HTML.Nofollow">
+ <directive id="HTML.SafeScripting">
   <file name="HTMLPurifier/HTMLModuleManager.php">
    <line>231</line>
   </file>
+  <file name="HTMLPurifier/HTMLModule/SafeScripting.php">
+   <line>17</line>
+  </file>
+ </directive>
+ <directive id="HTML.Nofollow">
+  <file name="HTMLPurifier/HTMLModuleManager.php">
+   <line>234</line>
+  </file>
  </directive>
  <directive id="HTML.TargetBlank">
   <file name="HTMLPurifier/HTMLModuleManager.php">
-   <line>234</line>
+   <line>237</line>
   </file>
  </directive>
  <directive id="Attr.IDBlacklist">

library/HTMLPurifier.includes.php

@@ -165,6 +165,7 @@ require 'HTMLPurifier/HTMLModule/Proprietary.php';
 require 'HTMLPurifier/HTMLModule/Ruby.php';
 require 'HTMLPurifier/HTMLModule/SafeEmbed.php';
 require 'HTMLPurifier/HTMLModule/SafeObject.php';
+require 'HTMLPurifier/HTMLModule/SafeScripting.php';
 require 'HTMLPurifier/HTMLModule/Scripting.php';
 require 'HTMLPurifier/HTMLModule/StyleAttribute.php';
 require 'HTMLPurifier/HTMLModule/Tables.php';

library/HTMLPurifier.safe-includes.php

@@ -159,6 +159,7 @@ require_once $__dir . '/HTMLPurifier/HTMLModule/Proprietary.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/Ruby.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/SafeEmbed.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/SafeObject.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/SafeScripting.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/Scripting.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/StyleAttribute.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/Tables.php';

library/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt

@@ -0,0 +1,10 @@
+HTML.SafeScripting
+TYPE: lookup
+VERSION: 4.5.0
+DEFAULT: array()
+--DESCRIPTION--
+<p>
+    Whether or not to permit script tags to external scripts in documents.
+    Inline scripting is not allowed, and the script must match an explicit whitelist.
+</p>
+--# vim: et sw=4 sts=4

library/HTMLPurifier/HTMLModule/SafeScripting.php

@@ -0,0 +1,37 @@
+<?php
+
+/**
+ * A "safe" script module. No inline JS is allowed, and pointed to JS
+ * files must match whitelist.
+ */
+class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
+{
+
+    public $name = 'SafeScripting';
+
+    public function setup($config) {
+
+        // These definitions are not intrinsically safe: the attribute transforms
+        // are a vital part of ensuring safety.
+
+        $allowed = $config->get('HTML.SafeScripting');
+        $script = $this->addElement(
+            'script',
+            'Inline',
+            'Empty',
+            null,
+            array(
+                // While technically not required by the spec, we're forcing
+                // it to this value.
+                'type' => 'Enum#text/javascript',
+                'src*'  => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
+            )
+        );
+        $script->attr_transform_pre[] =
+        $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
+
+    }
+
+}
+
+// vim: et sw=4 sts=4

library/HTMLPurifier/HTMLModuleManager.php

@@ -228,6 +228,9 @@ class HTMLPurifier_HTMLModuleManager
         if ($config->get('HTML.SafeEmbed')) {
             $modules[] = 'SafeEmbed';
         }
+        if ($config->get('HTML.SafeScripting') !== array()) {
+            $modules[] = 'SafeScripting';
+        }
         if ($config->get('HTML.Nofollow')) {
             $modules[] = 'Nofollow';
         }

tests/HTMLPurifier/HTMLModule/SafeScriptingTest.php

@@ -0,0 +1,33 @@
+<?php
+
+class HTMLPurifier_HTMLModule_SafeScriptingTest extends HTMLPurifier_HTMLModuleHarness
+{
+
+    function setUp() {
+        parent::setUp();
+        $this->config->set('HTML.SafeScripting', array('http://localhost/foo.js'));
+    }
+
+    function testMinimal() {
+        $this->assertResult(
+            '<script></script>',
+            ''
+        );
+    }
+
+    function testGood() {
+        $this->assertResult(
+            '<script type="text/javascript" src="http://localhost/foo.js" />'
+        );
+    }
+
+    function testBad() {
+        $this->assertResult(
+            '<script type="text/javascript" src="http://localhost/foobar.js" />',
+            ''
+        );
+    }
+
+}
+
+// vim: et sw=4 sts=4