factor out fixlinks
[ikiwiki] / IkiWiki / Plugin / htmlscrubber.pm
1 #!/usr/bin/perl
2 package IkiWiki::Plugin::htmlscrubber;
3
4 use warnings;
5 use strict;
6 use IkiWiki 2.00;
7
8 # This regexp matches urls that are in a known safe scheme.
9 # Feel free to use it from other plugins.
10 our $safe_url_regexp;
11
12 sub import { #{{{
13         hook(type => "getsetup", id => "htmlscrubber", call => \&getsetup);
14         hook(type => "sanitize", id => "htmlscrubber", call => \&sanitize);
15
16         # Only known uri schemes are allowed to avoid all the ways of
17         # embedding javascrpt.
18         # List at http://en.wikipedia.org/wiki/URI_scheme
19         my $uri_schemes=join("|", map quotemeta,
20                 # IANA registered schemes
21                 "http", "https", "ftp", "mailto", "file", "telnet", "gopher",
22                 "aaa", "aaas", "acap",  "cap", "cid", "crid", 
23                 "dav", "dict", "dns", "fax", "go", "h323", "im", "imap",
24                 "ldap", "mid", "news", "nfs", "nntp", "pop", "pres",
25                 "sip", "sips", "snmp", "tel", "urn", "wais", "xmpp",
26                 "z39.50r", "z39.50s",
27                 # Selected unofficial schemes
28                 "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg",
29                 "irc", "ircs", "lastfm", "ldaps", "magnet", "mms",
30                 "msnim", "notes", "rsync", "secondlife", "skype", "ssh",
31                 "sftp", "smb", "sms", "snews", "webcal", "ymsgr",
32         );
33         # data is a special case. Allow data:image/*, but
34         # disallow data:text/javascript and everything else.
35         $safe_url_regexp=qr/^(?:(?:$uri_schemes):|data:image\/|[^:]+(?:$|\/))/i;
36 } # }}}
37
38 sub getsetup () { #{{{
39         return
40                 plugin => {
41                         safe => 1,
42                         rebuild => undef,
43                 },
44 } #}}}
45
46 sub sanitize (@) { #{{{
47         my %params=@_;
48         return scrubber()->scrub($params{content});
49 } # }}}
50
51 my $_scrubber;
52 sub scrubber { #{{{
53         return $_scrubber if defined $_scrubber;
54
55         eval q{use HTML::Scrubber};
56         error($@) if $@;
57         # Lists based on http://feedparser.org/docs/html-sanitization.html
58         # With html 5 video and audio tags added.
59         $_scrubber = HTML::Scrubber->new(
60                 allow => [qw{
61                         a abbr acronym address area b big blockquote br br/
62                         button caption center cite code col colgroup dd del
63                         dfn dir div dl dt em fieldset font form h1 h2 h3 h4
64                         h5 h6 hr hr/ i img input ins kbd label legend li map
65                         menu ol optgroup option p p/ pre q s samp select small
66                         span strike strong sub sup table tbody td textarea
67                         tfoot th thead tr tt u ul var
68                         video audio
69                 }],
70                 default => [undef, { (
71                         map { $_ => 1 } qw{
72                                 abbr accept accept-charset accesskey
73                                 align alt axis border cellpadding cellspacing
74                                 char charoff charset checked class
75                                 clear cols colspan color compact coords
76                                 datetime dir disabled enctype for frame
77                                 headers height hreflang hspace id ismap
78                                 label lang maxlength media method
79                                 multiple name nohref noshade nowrap prompt
80                                 readonly rel rev rows rowspan rules scope
81                                 selected shape size span start summary
82                                 tabindex target title type valign
83                                 value vspace width
84                                 autoplay loopstart loopend end
85                                 playcount controls 
86                         } ),
87                         "/" => 1, # emit proper <hr /> XHTML
88                         href => $safe_url_regexp,
89                         src => $safe_url_regexp,
90                         action => $safe_url_regexp,
91                         cite => $safe_url_regexp,
92                         longdesc => $safe_url_regexp,
93                         poster => $safe_url_regexp,
94                         usemap => $safe_url_regexp,
95                 }],
96         );
97         return $_scrubber;
98 } # }}}
99
100 1