mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-22 08:21:52 +00:00
Support for safe external scripts via explicit whitelist.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
parent
7291f19347
commit
2189a9430f
@ -209,14 +209,22 @@
|
|||||||
<line>228</line>
|
<line>228</line>
|
||||||
</file>
|
</file>
|
||||||
</directive>
|
</directive>
|
||||||
<directive id="HTML.Nofollow">
|
<directive id="HTML.SafeScripting">
|
||||||
<file name="HTMLPurifier/HTMLModuleManager.php">
|
<file name="HTMLPurifier/HTMLModuleManager.php">
|
||||||
<line>231</line>
|
<line>231</line>
|
||||||
</file>
|
</file>
|
||||||
|
<file name="HTMLPurifier/HTMLModule/SafeScripting.php">
|
||||||
|
<line>17</line>
|
||||||
|
</file>
|
||||||
|
</directive>
|
||||||
|
<directive id="HTML.Nofollow">
|
||||||
|
<file name="HTMLPurifier/HTMLModuleManager.php">
|
||||||
|
<line>234</line>
|
||||||
|
</file>
|
||||||
</directive>
|
</directive>
|
||||||
<directive id="HTML.TargetBlank">
|
<directive id="HTML.TargetBlank">
|
||||||
<file name="HTMLPurifier/HTMLModuleManager.php">
|
<file name="HTMLPurifier/HTMLModuleManager.php">
|
||||||
<line>234</line>
|
<line>237</line>
|
||||||
</file>
|
</file>
|
||||||
</directive>
|
</directive>
|
||||||
<directive id="Attr.IDBlacklist">
|
<directive id="Attr.IDBlacklist">
|
||||||
|
@ -165,6 +165,7 @@ require 'HTMLPurifier/HTMLModule/Proprietary.php';
|
|||||||
require 'HTMLPurifier/HTMLModule/Ruby.php';
|
require 'HTMLPurifier/HTMLModule/Ruby.php';
|
||||||
require 'HTMLPurifier/HTMLModule/SafeEmbed.php';
|
require 'HTMLPurifier/HTMLModule/SafeEmbed.php';
|
||||||
require 'HTMLPurifier/HTMLModule/SafeObject.php';
|
require 'HTMLPurifier/HTMLModule/SafeObject.php';
|
||||||
|
require 'HTMLPurifier/HTMLModule/SafeScripting.php';
|
||||||
require 'HTMLPurifier/HTMLModule/Scripting.php';
|
require 'HTMLPurifier/HTMLModule/Scripting.php';
|
||||||
require 'HTMLPurifier/HTMLModule/StyleAttribute.php';
|
require 'HTMLPurifier/HTMLModule/StyleAttribute.php';
|
||||||
require 'HTMLPurifier/HTMLModule/Tables.php';
|
require 'HTMLPurifier/HTMLModule/Tables.php';
|
||||||
|
@ -159,6 +159,7 @@ require_once $__dir . '/HTMLPurifier/HTMLModule/Proprietary.php';
|
|||||||
require_once $__dir . '/HTMLPurifier/HTMLModule/Ruby.php';
|
require_once $__dir . '/HTMLPurifier/HTMLModule/Ruby.php';
|
||||||
require_once $__dir . '/HTMLPurifier/HTMLModule/SafeEmbed.php';
|
require_once $__dir . '/HTMLPurifier/HTMLModule/SafeEmbed.php';
|
||||||
require_once $__dir . '/HTMLPurifier/HTMLModule/SafeObject.php';
|
require_once $__dir . '/HTMLPurifier/HTMLModule/SafeObject.php';
|
||||||
|
require_once $__dir . '/HTMLPurifier/HTMLModule/SafeScripting.php';
|
||||||
require_once $__dir . '/HTMLPurifier/HTMLModule/Scripting.php';
|
require_once $__dir . '/HTMLPurifier/HTMLModule/Scripting.php';
|
||||||
require_once $__dir . '/HTMLPurifier/HTMLModule/StyleAttribute.php';
|
require_once $__dir . '/HTMLPurifier/HTMLModule/StyleAttribute.php';
|
||||||
require_once $__dir . '/HTMLPurifier/HTMLModule/Tables.php';
|
require_once $__dir . '/HTMLPurifier/HTMLModule/Tables.php';
|
||||||
|
Binary file not shown.
@ -0,0 +1,10 @@
|
|||||||
|
HTML.SafeScripting
|
||||||
|
TYPE: lookup
|
||||||
|
VERSION: 4.5.0
|
||||||
|
DEFAULT: array()
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
Whether or not to permit script tags to external scripts in documents.
|
||||||
|
Inline scripting is not allowed, and the script must match an explicit whitelist.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
37
library/HTMLPurifier/HTMLModule/SafeScripting.php
Normal file
37
library/HTMLPurifier/HTMLModule/SafeScripting.php
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A "safe" script module. No inline JS is allowed, and pointed to JS
|
||||||
|
* files must match whitelist.
|
||||||
|
*/
|
||||||
|
class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
|
||||||
|
{
|
||||||
|
|
||||||
|
public $name = 'SafeScripting';
|
||||||
|
|
||||||
|
public function setup($config) {
|
||||||
|
|
||||||
|
// These definitions are not intrinsically safe: the attribute transforms
|
||||||
|
// are a vital part of ensuring safety.
|
||||||
|
|
||||||
|
$allowed = $config->get('HTML.SafeScripting');
|
||||||
|
$script = $this->addElement(
|
||||||
|
'script',
|
||||||
|
'Inline',
|
||||||
|
'Empty',
|
||||||
|
null,
|
||||||
|
array(
|
||||||
|
// While technically not required by the spec, we're forcing
|
||||||
|
// it to this value.
|
||||||
|
'type' => 'Enum#text/javascript',
|
||||||
|
'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
|
||||||
|
)
|
||||||
|
);
|
||||||
|
$script->attr_transform_pre[] =
|
||||||
|
$script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
@ -228,6 +228,9 @@ class HTMLPurifier_HTMLModuleManager
|
|||||||
if ($config->get('HTML.SafeEmbed')) {
|
if ($config->get('HTML.SafeEmbed')) {
|
||||||
$modules[] = 'SafeEmbed';
|
$modules[] = 'SafeEmbed';
|
||||||
}
|
}
|
||||||
|
if ($config->get('HTML.SafeScripting') !== array()) {
|
||||||
|
$modules[] = 'SafeScripting';
|
||||||
|
}
|
||||||
if ($config->get('HTML.Nofollow')) {
|
if ($config->get('HTML.Nofollow')) {
|
||||||
$modules[] = 'Nofollow';
|
$modules[] = 'Nofollow';
|
||||||
}
|
}
|
||||||
|
33
tests/HTMLPurifier/HTMLModule/SafeScriptingTest.php
Normal file
33
tests/HTMLPurifier/HTMLModule/SafeScriptingTest.php
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
class HTMLPurifier_HTMLModule_SafeScriptingTest extends HTMLPurifier_HTMLModuleHarness
|
||||||
|
{
|
||||||
|
|
||||||
|
function setUp() {
|
||||||
|
parent::setUp();
|
||||||
|
$this->config->set('HTML.SafeScripting', array('http://localhost/foo.js'));
|
||||||
|
}
|
||||||
|
|
||||||
|
function testMinimal() {
|
||||||
|
$this->assertResult(
|
||||||
|
'<script></script>',
|
||||||
|
''
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
function testGood() {
|
||||||
|
$this->assertResult(
|
||||||
|
'<script type="text/javascript" src="http://localhost/foo.js" />'
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
function testBad() {
|
||||||
|
$this->assertResult(
|
||||||
|
'<script type="text/javascript" src="http://localhost/foobar.js" />',
|
||||||
|
''
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
Loading…
Reference in New Issue
Block a user