Larger void elements list

2012-12-31 13:03:23 +02:00 · 2012-12-31 13:03:23 +02:00 · 2ee7ec4738
commit 2ee7ec4738
parent 42695f384a
3 changed files with 16 additions and 4 deletions
--- a/Text/HTML/SanitizeXSS.hs
+++ b/Text/HTML/SanitizeXSS.hs
@ -12,7 +12,7 @@ import Text.HTML.SanitizeXSS.Css

 import Text.HTML.TagSoup

-import Data.Set (Set(), member, notMember, (\\), fromList)
+import Data.Set (Set(), member, notMember, (\\), fromList, fromAscList)
 import Data.Char ( toLower )
 import Data.Text (Text)
 import qualified Data.Text as T
@ -41,9 +41,12 @@ sanitizeBalance = filterTags (balance Map.empty . safeTags)
 -- | insert custom tag filtering. Don't forget to compose your filter with safeTags!
 filterTags :: ([Tag Text] -> [Tag Text]) -> Text -> Text
 filterTags f = renderTagsOptions renderOptions {
-    optMinimize = \x -> x `elem` ["br","img"] -- <img><img> converts to <img />, <a/> converts to <a></a>
+    optMinimize = \x -> x `member` voidElems -- <img><img> converts to <img />, <a/> converts to <a></a>
  } .  f . canonicalizeTags . parseTags

+voidElems :: Set T.Text
+voidElems = fromAscList $ T.words $ T.pack "area base br col command embed hr img input keygen link meta param source track wbr"
+
 balance :: Map.Map Text Int -> [Tag Text] -> [Tag Text]
 balance m [] =
    concatMap go $ Map.toList m
@ -51,7 +54,7 @@ balance m [] =
    go (name, i)
        | noClosing name = []
        | otherwise = replicate i $ TagClose name
-    noClosing = flip elem ["br", "img"]
+    noClosing = flip member voidElems
 balance m (t@(TagClose name):tags) =
    case Map.lookup name m of
        Nothing -> TagOpen name [] : TagClose name : balance m tags
--- a/test/main.hs
+++ b/test/main.hs
@ -14,6 +14,7 @@ test f actual expected = do
  result @?= expected

 sanitized = test sanitize
+sanitizedB = test sanitizeBalance

 main = hspecX $ do
  describe "html sanitizing" $ do
@ -76,3 +77,11 @@ main = hspecX $ do
    it "allows valid units for grey-listed css" $ do
      let grey2Css = "<p style=\"background:1;border-foo:10px\"></p>"
      sanitized grey2Css grey2Css
+
+  describe "balancing" $ do
+    it "adds missing elements" $ do
+      sanitizedB "<a>foo" "<a>foo</a>"
+    it "doesn't add closing voids" $ do
+      sanitizedB "<img><hr/>" "<img><hr />"
+    it "removes closing voids" $ do
+      sanitizedB "<img></img>" "<img />"
--- a/xss-sanitize.cabal
+++ b/xss-sanitize.cabal
@ -1,5 +1,5 @@
 name:            xss-sanitize
-version:         0.3.2
+version:         0.3.3
 license:         BSD3
 license-file:    LICENSE
 author:          Greg Weber <greg@gregweber.info>