diff --git a/configdoc/usage.xml b/configdoc/usage.xml index dc79d45f..050d3384 100644 --- a/configdoc/usage.xml +++ b/configdoc/usage.xml @@ -209,14 +209,22 @@ 228 - + 231 + + 17 + + + + + 234 + - 234 + 237 diff --git a/library/HTMLPurifier.includes.php b/library/HTMLPurifier.includes.php index 0ceff6a9..7feecefe 100644 --- a/library/HTMLPurifier.includes.php +++ b/library/HTMLPurifier.includes.php @@ -165,6 +165,7 @@ require 'HTMLPurifier/HTMLModule/Proprietary.php'; require 'HTMLPurifier/HTMLModule/Ruby.php'; require 'HTMLPurifier/HTMLModule/SafeEmbed.php'; require 'HTMLPurifier/HTMLModule/SafeObject.php'; +require 'HTMLPurifier/HTMLModule/SafeScripting.php'; require 'HTMLPurifier/HTMLModule/Scripting.php'; require 'HTMLPurifier/HTMLModule/StyleAttribute.php'; require 'HTMLPurifier/HTMLModule/Tables.php'; diff --git a/library/HTMLPurifier.safe-includes.php b/library/HTMLPurifier.safe-includes.php index d49b196c..e23a81a7 100644 --- a/library/HTMLPurifier.safe-includes.php +++ b/library/HTMLPurifier.safe-includes.php @@ -159,6 +159,7 @@ require_once $__dir . '/HTMLPurifier/HTMLModule/Proprietary.php'; require_once $__dir . '/HTMLPurifier/HTMLModule/Ruby.php'; require_once $__dir . '/HTMLPurifier/HTMLModule/SafeEmbed.php'; require_once $__dir . '/HTMLPurifier/HTMLModule/SafeObject.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/SafeScripting.php'; require_once $__dir . '/HTMLPurifier/HTMLModule/Scripting.php'; require_once $__dir . '/HTMLPurifier/HTMLModule/StyleAttribute.php'; require_once $__dir . '/HTMLPurifier/HTMLModule/Tables.php'; diff --git a/library/HTMLPurifier/ConfigSchema/schema.ser b/library/HTMLPurifier/ConfigSchema/schema.ser index b106bcf7..32a02c4c 100644 Binary files a/library/HTMLPurifier/ConfigSchema/schema.ser and b/library/HTMLPurifier/ConfigSchema/schema.ser differ diff --git a/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt b/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt new file mode 100644 index 00000000..5ebc7a19 --- /dev/null +++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt @@ -0,0 +1,10 @@ +HTML.SafeScripting +TYPE: lookup +VERSION: 4.5.0 +DEFAULT: array() +--DESCRIPTION-- +

+ Whether or not to permit script tags to external scripts in documents. + Inline scripting is not allowed, and the script must match an explicit whitelist. +

+--# vim: et sw=4 sts=4 diff --git a/library/HTMLPurifier/HTMLModule/SafeScripting.php b/library/HTMLPurifier/HTMLModule/SafeScripting.php new file mode 100644 index 00000000..e32a6b6c --- /dev/null +++ b/library/HTMLPurifier/HTMLModule/SafeScripting.php @@ -0,0 +1,37 @@ +get('HTML.SafeScripting'); + $script = $this->addElement( + 'script', + 'Inline', + 'Empty', + null, + array( + // While technically not required by the spec, we're forcing + // it to this value. + 'type' => 'Enum#text/javascript', + 'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed)) + ) + ); + $script->attr_transform_pre[] = + $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired(); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/library/HTMLPurifier/HTMLModuleManager.php b/library/HTMLPurifier/HTMLModuleManager.php index 7a06fc02..21530868 100644 --- a/library/HTMLPurifier/HTMLModuleManager.php +++ b/library/HTMLPurifier/HTMLModuleManager.php @@ -228,6 +228,9 @@ class HTMLPurifier_HTMLModuleManager if ($config->get('HTML.SafeEmbed')) { $modules[] = 'SafeEmbed'; } + if ($config->get('HTML.SafeScripting') !== array()) { + $modules[] = 'SafeScripting'; + } if ($config->get('HTML.Nofollow')) { $modules[] = 'Nofollow'; } diff --git a/tests/HTMLPurifier/HTMLModule/SafeScriptingTest.php b/tests/HTMLPurifier/HTMLModule/SafeScriptingTest.php new file mode 100644 index 00000000..98b6212f --- /dev/null +++ b/tests/HTMLPurifier/HTMLModule/SafeScriptingTest.php @@ -0,0 +1,33 @@ +config->set('HTML.SafeScripting', array('http://localhost/foo.js')); + } + + function testMinimal() { + $this->assertResult( + '', + '' + ); + } + + function testGood() { + $this->assertResult( + '