From 7064e8bdccb42eb2a1973b6c4803339087d868b1 Mon Sep 17 00:00:00 2001
From: Michael Snoyman <michael@snoyman.com>
Date: Tue, 28 Sep 2010 10:03:49 +0200
Subject: [PATCH] Sanitizing HTML input

---
 Yesod/Form/Nic.hs      | 3 ++-
 Yesod/Form/Profiles.hs | 3 ++-
 yesod.cabal            | 5 +++--
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/Yesod/Form/Nic.hs b/Yesod/Form/Nic.hs
index 0e450046..fa83ffdd 100644
--- a/Yesod/Form/Nic.hs
+++ b/Yesod/Form/Nic.hs
@@ -10,6 +10,7 @@ import Yesod.Form.Core
 import Yesod.Hamlet
 import Yesod.Widget
 import qualified Data.ByteString.Lazy.UTF8 as U
+import Text.HTML.SanitizeXSS (sanitizeXSS)
 
 class YesodNic a where
     -- | NIC Editor.
@@ -24,7 +25,7 @@ maybeNicHtmlField = optionalFieldHelper nicHtmlFieldProfile
 
 nicHtmlFieldProfile :: YesodNic y => FieldProfile sub y Html
 nicHtmlFieldProfile = FieldProfile
-    { fpParse = Right . preEscapedString
+    { fpParse = Right . preEscapedString . sanitizeXSS
     , fpRender = U.toString . renderHtml
     , fpWidget = \theId name val _isReq -> do
         addBody [$hamlet|%textarea.html#$theId$!name=$name$ $val$|]
diff --git a/Yesod/Form/Profiles.hs b/Yesod/Form/Profiles.hs
index 521a7cd1..2a65d900 100644
--- a/Yesod/Form/Profiles.hs
+++ b/Yesod/Form/Profiles.hs
@@ -27,6 +27,7 @@ import qualified Data.ByteString.Lazy.UTF8 as U
 import qualified Text.Email.Validate as Email
 import Network.URI (parseURI)
 import Database.Persist (PersistField)
+import Text.HTML.SanitizeXSS (sanitizeXSS)
 
 import Text.Blaze.Builder.Utf8 (writeChar)
 import Text.Blaze.Builder.Core (writeList, writeByteString)
@@ -77,7 +78,7 @@ timeFieldProfile = FieldProfile
 
 htmlFieldProfile :: FieldProfile sub y Html
 htmlFieldProfile = FieldProfile
-    { fpParse = Right . preEscapedString
+    { fpParse = Right . preEscapedString . sanitizeXSS
     , fpRender = U.toString . renderHtml
     , fpWidget = \theId name val _isReq -> addBody [$hamlet|
 %textarea.html#$theId$!name=$name$ $val$
diff --git a/yesod.cabal b/yesod.cabal
index d54f8188..17e8a091 100644
--- a/yesod.cabal
+++ b/yesod.cabal
@@ -25,7 +25,7 @@ library
                    , time                      >= 1.1.4    && < 1.3
                    , wai                       >= 0.2.0    && < 0.3
                    , wai-extra                 >= 0.2.2    && < 0.3
-                   , authenticate              >= 0.6.3    && < 0.7
+                   , authenticate              >= 0.6.3.2  && < 0.7
                    , bytestring                >= 0.9.1.4  && < 0.10
                    , directory                 >= 1        && < 1.2
                    , text                      >= 0.5      && < 0.10
@@ -42,7 +42,7 @@ library
                    , cereal                    >= 0.2      && < 0.3
                    , dataenc                   >= 0.13.0.2 && < 0.14
                    , old-locale                >= 1.0.0.2  && < 1.1
-                   , persistent                >= 0.2.0    && < 0.3
+                   , persistent                >= 0.2.2    && < 0.3
                    , neither                   >= 0.0.0    && < 0.1
                    , MonadCatchIO-transformers >= 0.2.2.0  && < 0.3
                    , data-object               >= 0.3.1    && < 0.4
@@ -50,6 +50,7 @@ library
                    , email-validate            >= 0.2.5    && < 0.3
                    , process                   >= 1.0.1    && < 1.1
                    , web-routes                >= 0.23     && < 0.24
+                   , xss-sanitize              >= 0.1.1    && < 0.2
     exposed-modules: Yesod
                      Yesod.Content
                      Yesod.Dispatch