xss-sanitize 0.3.6 → 0.3.7
raw patch · 4 files changed
+38/−11 lines, 4 filesdep ~text
Dependency ranges changed: text
Files
- ChangeLog.md +4/−0
- README.md +1/−2
- src/Text/HTML/SanitizeXSS.hs +28/−3
- xss-sanitize.cabal +5/−6
ChangeLog.md view
@@ -1,3 +1,7 @@+# 0.3.7++clear the contents of style and script tags instead of escaping them+ # 0.3.5.6 expose safeTagName
README.md view
@@ -1,7 +1,6 @@ # Summary -[](https://travis-ci.org/yesodweb/haskell-xss-sanitize)-[](https://ci.appveyor.com/project/snoyberg/haskell-xss-sanitize/branch/master)+[](https://github.com/yesodweb/haskell-xss-sanitize/actions/workflows/tests.yml) xss-sanitize allows you to accept html from untrusted sources by first filtering it through a white list. The white list filtering is fairly comprehensive, including support for css in style attributes, but there are limitations enumerated below.
src/Text/HTML/SanitizeXSS.hs view
@@ -43,12 +43,12 @@ -- | alias of sanitize function sanitizeXSS :: Text -> Text-sanitizeXSS = filterTags safeTags+sanitizeXSS = filterTags (safeTags . clearTags) -- | Sanitize HTML to prevent XSS attacks and also make sure the tags are balanced. -- This is equivalent to @filterTags (balanceTags . safeTags)@. sanitizeBalance :: Text -> Text-sanitizeBalance = filterTags (balanceTags . safeTags)+sanitizeBalance = filterTags (balanceTags . safeTags . clearTags) -- | Filter which makes sure the tags are balanced. Use with 'filterTags' and 'safeTags' to create a custom filter. balanceTags :: [Tag Text] -> [Tag Text]@@ -108,6 +108,26 @@ | otherwise = safeTagsCustom safeName sanitizeAttr tags safeTagsCustom n a (t:tags) = t : safeTagsCustom n a tags +clearTags :: [Tag Text] -> [Tag Text]+clearTags = clearTagsCustom clearableTagName++clearTagsCustom :: (Text -> Bool) -> [Tag Text] -> [Tag Text]+clearTagsCustom _ [] = []+clearTagsCustom clearableName (tag@(TagOpen name _) : tags)+ | clearableName name = tag : go 0 tags+ | otherwise = tag : clearTagsCustom clearableName tags+ where+ go d (t@(TagOpen n _) : ts)+ | n /= name = go d ts+ | otherwise = go (d + 1) ts+ go d (t@(TagClose n) : ts)+ | n /= name = go d ts+ | d == 0 = t : clearTagsCustom clearableName ts+ | otherwise = go (d - 1) ts+ go d (t : ts) = go d ts+ go d [] = []+clearTagsCustom clearableName (t : tags) = t : clearTagsCustom clearableName tags+ safeTagName :: Text -> Bool safeTagName tagname = tagname `member` sanitaryTags @@ -115,6 +135,9 @@ safeAttribute (name, value) = name `member` sanitaryAttributes && (name `notMember` uri_attributes || sanitaryURI value) +clearableTagName :: Text -> Bool+clearableTagName tagname = tagname `member` clearableTags+ -- | low-level API if you have your own HTML parser. Used by safeTags. sanitizeAttribute :: (Text, Text) -> Maybe (Text, Text) sanitizeAttribute ("style", value) =@@ -149,6 +172,9 @@ sanitaryAttributes = fromList (allowed_html_uri_attributes ++ acceptable_attributes ++ mathml_attributes ++ svg_attributes) \\ (fromList svg_attr_val_allows_ref) -- extra unescaping not implemented +clearableTags :: Set Text+clearableTags = fromList ["script", "style"]+ allowed_html_uri_attributes :: [Text] allowed_html_uri_attributes = ["href", "src", "cite", "action", "longdesc"] @@ -272,4 +298,3 @@ "animateMotion", "animateTransform", "cursor", "feImage", "filter", "linearGradient", "pattern", "radialGradient", "textpath", "tref", "set", "use"]-
xss-sanitize.cabal view
@@ -1,11 +1,11 @@--- This file has been generated from package.yaml by hpack version 0.28.2.+cabal-version: 1.12++-- This file has been generated from package.yaml by hpack version 0.34.4. -- -- see: https://github.com/sol/hpack------ hash: 12365b28c17ec0278092a7008af7bd838b0bc4f21a2ee2072d484601b74a6379 name: xss-sanitize-version: 0.3.6+version: 0.3.7 synopsis: sanitize untrusted HTML to prevent XSS attacks description: run untrusted HTML through Text.HTML.SanitizeXSS.sanitizeXSS to prevent XSS attacks. see README.md <http://github.com/yesodweb/haskell-xss-sanitize> for more details category: Web@@ -17,10 +17,9 @@ license: BSD2 license-file: LICENSE build-type: Simple-cabal-version: >= 1.10 extra-source-files:- ChangeLog.md README.md+ ChangeLog.md source-repository head type: git