Implement SVG reference checking
This commit is contained in:
Gregor Kleen
parent
be213a84a4
commit
7909bac24b
@ -1,4 +1,4 @@
|
|||||||
{-# LANGUAGE OverloadedStrings #-}
|
{-# LANGUAGE OverloadedStrings, TupleSections #-}
|
||||||
-- | Sanatize HTML to prevent XSS attacks.
|
-- | Sanatize HTML to prevent XSS attacks.
|
||||||
--
|
--
|
||||||
-- See README.md <http://github.com/gregwebs/haskell-xss-sanitize> for more details.
|
-- See README.md <http://github.com/gregwebs/haskell-xss-sanitize> for more details.
|
||||||
@ -26,7 +26,7 @@ import Text.HTML.SanitizeXSS.Css
|
|||||||
import Text.HTML.TagSoup
|
import Text.HTML.TagSoup
|
||||||
|
|
||||||
import Data.Set (Set(), member, notMember, (\\), fromList, fromAscList)
|
import Data.Set (Set(), member, notMember, (\\), fromList, fromAscList)
|
||||||
import Data.Char ( toLower )
|
import Data.Char (toLower, isSpace)
|
||||||
import Data.Text (Text)
|
import Data.Text (Text)
|
||||||
import qualified Data.Text as T
|
import qualified Data.Text as T
|
||||||
|
|
||||||
@ -36,6 +36,12 @@ import Codec.Binary.UTF8.String ( encodeString )
|
|||||||
|
|
||||||
import Data.Maybe (mapMaybe)
|
import Data.Maybe (mapMaybe)
|
||||||
|
|
||||||
|
import Data.Attoparsec.Text
|
||||||
|
|
||||||
|
import Control.Applicative (many)
|
||||||
|
import Data.Foldable (asum)
|
||||||
|
import Control.Monad (guard)
|
||||||
|
|
||||||
|
|
||||||
-- | Sanitize HTML to prevent XSS attacks. This is equivalent to @filterTags safeTags@.
|
-- | Sanitize HTML to prevent XSS attacks. This is equivalent to @filterTags safeTags@.
|
||||||
sanitize :: Text -> Text
|
sanitize :: Text -> Text
|
||||||
@ -120,8 +126,27 @@ sanitizeAttribute :: (Text, Text) -> Maybe (Text, Text)
|
|||||||
sanitizeAttribute ("style", value) =
|
sanitizeAttribute ("style", value) =
|
||||||
let css = sanitizeCSS value
|
let css = sanitizeCSS value
|
||||||
in if T.null css then Nothing else Just ("style", css)
|
in if T.null css then Nothing else Just ("style", css)
|
||||||
sanitizeAttribute attr | safeAttribute attr = Just attr
|
sanitizeAttribute attr
|
||||||
| otherwise = Nothing
|
| safeAttribute attr = Just attr
|
||||||
|
sanitizeAttribute attr@(name, value)
|
||||||
|
| name `member` fromList svg_attr_val_allows_ref
|
||||||
|
, Right () <- parseOnly (unsafeSVGRef <* endOfInput) value
|
||||||
|
= Nothing
|
||||||
|
| name `member` fromList svg_attr_val_allows_ref
|
||||||
|
= Just attr
|
||||||
|
sanitizeAttribute _ = Nothing
|
||||||
|
|
||||||
|
unsafeSVGRef :: Parser ()
|
||||||
|
unsafeSVGRef = do
|
||||||
|
skipMany space
|
||||||
|
string "url"
|
||||||
|
skipMany space
|
||||||
|
char '('
|
||||||
|
skipMany space
|
||||||
|
satisfy $ \x -> x /= '#' && not (isSpace x)
|
||||||
|
skipMany $ notChar ')'
|
||||||
|
char ')'
|
||||||
|
return ()
|
||||||
|
|
||||||
|
|
||||||
-- | Returns @True@ if the specified URI is not a potential security risk.
|
-- | Returns @True@ if the specified URI is not a potential security risk.
|
||||||
|
|||||||
12
test/main.hs
12
test/main.hs
@ -109,3 +109,15 @@ main = hspec $ do
|
|||||||
sanitizedC custattr custattr
|
sanitizedC custattr custattr
|
||||||
it "filters non-custom attributes" $ do
|
it "filters non-custom attributes" $ do
|
||||||
sanitizedC "<p weird=\"bar\"></p>" "<p></p>"
|
sanitizedC "<p weird=\"bar\"></p>" "<p></p>"
|
||||||
|
|
||||||
|
describe "svg escaping" $ do
|
||||||
|
it "does not filter simple values" $ do
|
||||||
|
let svg = "<circle fill=\"red\">"
|
||||||
|
sanitized svg svg
|
||||||
|
it "filters urls" $
|
||||||
|
sanitized "<circle fill=\"url(http://example.org)\">" "<circle>"
|
||||||
|
it "does not filter fragment urls" $ do
|
||||||
|
let svg = "<circle fill=\"url ( #foo )\">"
|
||||||
|
sanitized svg svg
|
||||||
|
it "unescapes urls" $
|
||||||
|
sanitized "<circle fill=\"url(http://example.org)\">" "<circle>"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user