filtering was crashing on relative URIs

relative URIs should be pass through fine
2010-11-26 17:06:46 -08:00 · 2010-11-26 17:06:46 -08:00 · 73b4d57d61
commit 73b4d57d61
parent 5f2edf8f92
3 changed files with 5 additions and 2 deletions
--- a/Text/HTML/SanitizeXSS.hs
+++ b/Text/HTML/SanitizeXSS.hs
@ -76,7 +76,8 @@ safeAttribute (name, value) = name `member` sanitaryAttributes &&
 sanitaryURI :: String -> Bool
 sanitaryURI u =
  case parseURIReference (escapeURI u) of
-     Just p  -> (init (map toLower $ uriScheme p)) `member` safeURISchemes
+     Just p  -> (null (uriScheme p)) ||
+                ((map toLower $ init $ uriScheme p) `member` safeURISchemes)
     Nothing -> False


--- a/test.hs
+++ b/test.hs
@ -9,3 +9,5 @@ test actual expected = do
 main = do
  test (sanitizeBalance testHTML) " <a href=\"http://safe.com\">safe</a><a>anchor</a> <img />   <br /> <b>Unbalanced<div></div><img src=\"http://safe.com\"></b>"
  test (sanitize testHTML) " <a href=\"http://safe.com\">safe</a><a>anchor</a> <img />   <br /> <b>Unbalanced</div><img src=\"http://safe.com\">"
+  let testRelativeURI = "<a href=\"foo\">bar</a>"
+  test (sanitize testRelativeURI) testRelativeURI
--- a/xss-sanitize.cabal
+++ b/xss-sanitize.cabal
@ -1,5 +1,5 @@
 name:            xss-sanitize
-version:         0.2.3
+version:         0.2.4
 license:         BSD3
 license-file:    LICENSE
 author:          Greg Weber <greg@gregweber.info>