Support for safe external scripts via explicit whitelist.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2024-12-22 16:31:53 +00:00 · 2012-04-27 17:44:49 -04:00 · 2012-04-27 17:44:49 -04:00 · 2189a9430f
commit 2189a9430f
parent 7291f19347
8 changed files with 95 additions and 2 deletions
--- a/configdoc/usage.xml
+++ b/configdoc/usage.xml
@ -209,14 +209,22 @@
   <line>228</line>
  </file>
 </directive>
- <directive id="HTML.Nofollow">
+ <directive id="HTML.SafeScripting">
  <file name="HTMLPurifier/HTMLModuleManager.php">
   <line>231</line>
  </file>
  <file name="HTMLPurifier/HTMLModule/SafeScripting.php">
   <line>17</line>
  </file>
 </directive>
 <directive id="HTML.Nofollow">
  <file name="HTMLPurifier/HTMLModuleManager.php">
   <line>234</line>
  </file>
 </directive>
 <directive id="HTML.TargetBlank">
  <file name="HTMLPurifier/HTMLModuleManager.php">
-   <line>234</line>
+   <line>237</line>
  </file>
 </directive>
 <directive id="Attr.IDBlacklist">
--- a/library/HTMLPurifier.includes.php
+++ b/library/HTMLPurifier.includes.php
@ -165,6 +165,7 @@ require 'HTMLPurifier/HTMLModule/Proprietary.php';
 require 'HTMLPurifier/HTMLModule/Ruby.php';
 require 'HTMLPurifier/HTMLModule/SafeEmbed.php';
 require 'HTMLPurifier/HTMLModule/SafeObject.php';
 require 'HTMLPurifier/HTMLModule/SafeScripting.php';
 require 'HTMLPurifier/HTMLModule/Scripting.php';
 require 'HTMLPurifier/HTMLModule/StyleAttribute.php';
 require 'HTMLPurifier/HTMLModule/Tables.php';
--- a/library/HTMLPurifier.safe-includes.php
+++ b/library/HTMLPurifier.safe-includes.php
@ -159,6 +159,7 @@ require_once $__dir . '/HTMLPurifier/HTMLModule/Proprietary.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/Ruby.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/SafeEmbed.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/SafeObject.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/SafeScripting.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/Scripting.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/StyleAttribute.php';
 require_once $__dir . '/HTMLPurifier/HTMLModule/Tables.php';
--- a/library/HTMLPurifier/ConfigSchema/schema.ser
+++ b/library/HTMLPurifier/ConfigSchema/schema.ser
--- a/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt
@ -0,0 +1,10 @@
 HTML.SafeScripting
 TYPE: lookup
 VERSION: 4.5.0
 DEFAULT: array()
 --DESCRIPTION--
 <p>
    Whether or not to permit script tags to external scripts in documents.
    Inline scripting is not allowed, and the script must match an explicit whitelist.
 </p>
 --# vim: et sw=4 sts=4
--- a/library/HTMLPurifier/HTMLModule/SafeScripting.php
+++ b/library/HTMLPurifier/HTMLModule/SafeScripting.php
@ -0,0 +1,37 @@
 <?php
 /**
 * A "safe" script module. No inline JS is allowed, and pointed to JS
 * files must match whitelist.
 */
 class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
 {
    public $name = 'SafeScripting';
    public function setup($config) {
        // These definitions are not intrinsically safe: the attribute transforms
        // are a vital part of ensuring safety.
        $allowed = $config->get('HTML.SafeScripting');
        $script = $this->addElement(
            'script',
            'Inline',
            'Empty',
            null,
            array(
                // While technically not required by the spec, we're forcing
                // it to this value.
                'type' => 'Enum#text/javascript',
                'src*'  => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
            )
        );
        $script->attr_transform_pre[] =
        $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
    }
 }
 // vim: et sw=4 sts=4
--- a/library/HTMLPurifier/HTMLModuleManager.php
+++ b/library/HTMLPurifier/HTMLModuleManager.php
@ -228,6 +228,9 @@ class HTMLPurifier_HTMLModuleManager
        if ($config->get('HTML.SafeEmbed')) {
            $modules[] = 'SafeEmbed';
        }
        if ($config->get('HTML.SafeScripting') !== array()) {
            $modules[] = 'SafeScripting';
        }
        if ($config->get('HTML.Nofollow')) {
            $modules[] = 'Nofollow';
        }
--- a/tests/HTMLPurifier/HTMLModule/SafeScriptingTest.php
+++ b/tests/HTMLPurifier/HTMLModule/SafeScriptingTest.php
@ -0,0 +1,33 @@
 <?php
 class HTMLPurifier_HTMLModule_SafeScriptingTest extends HTMLPurifier_HTMLModuleHarness
 {
    function setUp() {
        parent::setUp();
        $this->config->set('HTML.SafeScripting', array('http://localhost/foo.js'));
    }
    function testMinimal() {
        $this->assertResult(
            '<script></script>',
            ''
        );
    }
    function testGood() {
        $this->assertResult(
            '<script type="text/javascript" src="http://localhost/foo.js" />'
        );
    }
    function testBad() {
        $this->assertResult(
            '<script type="text/javascript" src="http://localhost/foobar.js" />',
            ''
        );
    }
 }
 // vim: et sw=4 sts=4