haskell/xss-sanitize
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update README, improve test case

Browse Source
This commit is contained in:
Greg Weber 2010-10-03 07:38:43 -07:00
parent 08c9329ab4
commit e527c7f22e
3 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -39,9 +39,9 @@ Where is the white list from?
-----------------------------
Ultimately this is where your security comes from, although I would tend to think that even a basic, incomplete white list would act as a strong deterrent.
Version 0.1 of the white list is from Pandoc. Probably that list is from an older version of (a wiki page containing a white list)[http://wiki.whatwg.org/wiki/Sanitization_rules]. Having some prior experience editing Wikipedia, I am a little wary of directly using a wiki for a purpose like this, although it does seem to be watched over.
Version 0.1 of the white list is from Pandoc which is generally stricter than it needs to be but possibly allows unsafe protocols in links.
Version >= 0.2 uses (the source code of html5lib)[http://code.google.com/p/html5lib/source/browse/python/html5lib/sanitizer.py]. as the source of the white list and my implementation reference. They do reference that wiki page as their source, but hopefully they are careful of when they import it into their code. I would definitely consider working with the maintainers of html5lib, but it doesn't make sense to merge the projects because sanitization is just one aspect of html5lib (They have a parser also)
Version >= 0.2 uses (the source code of html5lib)[http://code.google.com/p/html5lib/source/browse/python/html5lib/sanitizer.py]. as the source of the white list and my implementation reference. They reference (a wiki page containing a white list)[http://wiki.whatwg.org/wiki/Sanitization_rules], and hopefully they are careful of when they import into their code. Working with the maintainers of html5lib may make sense, but it doesn't make sense to merge the projects because sanitization is just one aspect of html5lib (They have a parser also).
If anyone knows of better sources or thinks a particular tag/attribute/value may be vulnerable, please let me know.

4
test.hs
View File

@ -1,8 +1,8 @@
import Text.HTML.SanitizeXSS
main = do
let test = " <a href='unsafe://hack.com'>anchor</a> <img src='evil://evil.com' /> <unsafe></foo> <bar /> <br></br> "
let test = " <a href='http://safe.com'>safe</a><a href='unsafe://hack.com'>anchor</a> <img src='evil://evil.com' /> <unsafe></foo> <bar /> <br></br> "
let actual = (sanitizeXSS test)
let expected = " <a>anchor</a> <img /> <br /> "
let expected = " <a href=\"http://safe.com\">safe</a><a>anchor</a> <img /> <br /> "
putStrLn $ "testing: " ++ test
putStrLn $ if actual == expected then "pass" else "failure\n" ++ "\nexpected:" ++ (show expected) ++ "\nactual: " ++ (show actual)

2
xss-sanitize.cabal
View File

@ -1,5 +1,5 @@
name: xss-sanitize
version: 0.2.0
version: 0.2.1
license: BSD3
license-file: LICENSE
author: Greg Weber <greg@gregweber.info>