packages feed

xss-sanitize 0.3.6 → 0.3.7

raw patch · 4 files changed

+38/−11 lines, 4 filesdep ~text

Dependency ranges changed: text

Files

ChangeLog.md view
@@ -1,3 +1,7 @@+# 0.3.7++clear the contents of style and script tags instead of escaping them+ # 0.3.5.6  expose safeTagName
README.md view
@@ -1,7 +1,6 @@ # Summary -[![Build Status](https://travis-ci.org/yesodweb/haskell-xss-sanitize.svg?branch=master)](https://travis-ci.org/yesodweb/haskell-xss-sanitize)-[![Build status](https://ci.appveyor.com/api/projects/status/1i4xx9qi53r58tsh/branch/master?svg=true)](https://ci.appveyor.com/project/snoyberg/haskell-xss-sanitize/branch/master)+[![Tests](https://github.com/yesodweb/haskell-xss-sanitize/actions/workflows/tests.yml/badge.svg)](https://github.com/yesodweb/haskell-xss-sanitize/actions/workflows/tests.yml)  xss-sanitize allows you to accept html from untrusted sources by first filtering it through a white list. The white list filtering is fairly comprehensive, including support for css in style attributes, but there are limitations enumerated below.
src/Text/HTML/SanitizeXSS.hs view
@@ -43,12 +43,12 @@  -- | alias of sanitize function sanitizeXSS :: Text -> Text-sanitizeXSS = filterTags safeTags+sanitizeXSS = filterTags (safeTags . clearTags)  -- | Sanitize HTML to prevent XSS attacks and also make sure the tags are balanced. --   This is equivalent to @filterTags (balanceTags . safeTags)@. sanitizeBalance :: Text -> Text-sanitizeBalance = filterTags (balanceTags . safeTags)+sanitizeBalance = filterTags (balanceTags . safeTags . clearTags)  -- | Filter which makes sure the tags are balanced.  Use with 'filterTags' and 'safeTags' to create a custom filter. balanceTags :: [Tag Text] -> [Tag Text]@@ -108,6 +108,26 @@   | otherwise = safeTagsCustom safeName sanitizeAttr tags safeTagsCustom n a (t:tags) = t : safeTagsCustom n a tags +clearTags :: [Tag Text] -> [Tag Text]+clearTags = clearTagsCustom clearableTagName++clearTagsCustom :: (Text -> Bool) -> [Tag Text] -> [Tag Text]+clearTagsCustom _ [] = []+clearTagsCustom clearableName (tag@(TagOpen name _) : tags)+    | clearableName name = tag : go 0 tags+    | otherwise = tag : clearTagsCustom clearableName tags+  where+    go d (t@(TagOpen n _) : ts)+        | n /= name = go d ts+        | otherwise = go (d + 1) ts+    go d (t@(TagClose n) : ts)+        | n /= name = go d ts+        | d == 0 = t : clearTagsCustom clearableName ts+        | otherwise = go (d - 1) ts+    go d (t : ts) = go d ts+    go d [] = []+clearTagsCustom clearableName (t : tags) = t : clearTagsCustom clearableName tags+ safeTagName :: Text -> Bool safeTagName tagname = tagname `member` sanitaryTags @@ -115,6 +135,9 @@ safeAttribute (name, value) = name `member` sanitaryAttributes &&   (name `notMember` uri_attributes || sanitaryURI value) +clearableTagName :: Text -> Bool+clearableTagName tagname = tagname `member` clearableTags+ -- | low-level API if you have your own HTML parser. Used by safeTags. sanitizeAttribute :: (Text, Text) -> Maybe (Text, Text) sanitizeAttribute ("style", value) =@@ -149,6 +172,9 @@ sanitaryAttributes = fromList (allowed_html_uri_attributes ++ acceptable_attributes ++ mathml_attributes ++ svg_attributes)   \\ (fromList svg_attr_val_allows_ref) -- extra unescaping not implemented +clearableTags :: Set Text+clearableTags = fromList ["script", "style"]+ allowed_html_uri_attributes :: [Text] allowed_html_uri_attributes = ["href", "src", "cite", "action", "longdesc"] @@ -272,4 +298,3 @@     "animateMotion", "animateTransform", "cursor", "feImage", "filter",     "linearGradient", "pattern", "radialGradient", "textpath", "tref",     "set", "use"]-
xss-sanitize.cabal view
@@ -1,11 +1,11 @@--- This file has been generated from package.yaml by hpack version 0.28.2.+cabal-version: 1.12++-- This file has been generated from package.yaml by hpack version 0.34.4. -- -- see: https://github.com/sol/hpack------ hash: 12365b28c17ec0278092a7008af7bd838b0bc4f21a2ee2072d484601b74a6379  name:           xss-sanitize-version:        0.3.6+version:        0.3.7 synopsis:       sanitize untrusted HTML to prevent XSS attacks description:    run untrusted HTML through Text.HTML.SanitizeXSS.sanitizeXSS to prevent XSS attacks. see README.md <http://github.com/yesodweb/haskell-xss-sanitize> for more details category:       Web@@ -17,10 +17,9 @@ license:        BSD2 license-file:   LICENSE build-type:     Simple-cabal-version:  >= 1.10 extra-source-files:-    ChangeLog.md     README.md+    ChangeLog.md  source-repository head   type: git