This is an automated email from the git hooks/post-receive script. fsfs pushed a commit to annotated tag release/0.10-TRIAL in repository libhtml-scrubber-perl.
commit 53b037e034b8e92dd2e04b3a0f9bd768ceefa293 Author: Nigel Metheringham <[email protected]> Date: Fri Sep 27 15:05:26 2013 +0100 v0.10 - RT3008 Changed examples to be XSS free - RT19063, RT25477 fixed handling of self closing tags, for example '<hr />' - * attribute rule can be a regexp - callbacks in rules to check or adjust attributes with custom code (RT15747) --- Changes | 2 ++ README.pod | 40 ++++++++++++++++++++++++---------------- 2 files changed, 26 insertions(+), 16 deletions(-) diff --git a/Changes b/Changes index d08551f..9f00805 100644 --- a/Changes +++ b/Changes @@ -1,6 +1,8 @@ Revision history for Perl extension HTML::Scrubber. {{$NEXT}} + +0.10 2013-09-27 15:05:03 Europe/London - RT3008 Changed examples to be XSS free - RT19063, RT25477 fixed handling of self closing tags, for example '<hr />' diff --git a/README.pod b/README.pod index 9b2cc0b..9ced386 100644 --- a/README.pod +++ b/README.pod @@ -1,4 +1,6 @@ -=for stopwords html +=pod + +=for stopwords html cpan callback homepage =head1 NAME @@ -35,7 +37,7 @@ version 0.10 =head1 DESCRIPTION -If you wanna "scrub" or "sanitize" html input in a reliable and +If you want to "scrub" or "sanitize" html input in a reliable and flexible fashion, then this module is for you. I wasn't satisfied with HTML::Sanitizer because it is based on @@ -100,10 +102,19 @@ all style tags encountered will be validated like all other tags. alt => 1, # alt attribute allowed '*' => 0, # deny all other attributes }, + a => { + href => sub { ... }, # check or adjust with a callback + }, b => 1, ... ); +Updates set of attribute rules. Each rule can be 1/0, regular expression +or a callback. Values longer than 1 char are treated as regexps. Callback +is called with the following arguments: this object, tag name, attribute +name and attribute value, should return empty list to drop attribute, +C<undef> to keep it without value or a new scalar value. + =head2 default print "default is ", $p->default(); @@ -190,11 +201,11 @@ the default attribute rule is applied. 0 => # default rule, deny all tags { '*' => 1, # default rule, allow all attributes - 'href' => qr{^(?!(?:java)?script)}i, - 'src' => qr{^(?!(?:java)?script)}i, + 'href' => qr{^(?:http|https|ftp)://}i, + 'src' => qr{^(?:http|https|ftp)://}i, # If your perl doesn't have qr # just use a string with length greater than 1 - 'cite' => '(?i-xsm:^(?!(?:java)?script))', + 'cite' => '(?i-xsm:^(?:http|https|ftp):)', 'language' => 0, 'name' => 1, # could be sneaky, but hey ;) 'onblur' => 0, @@ -316,10 +327,8 @@ See perlmodinstall for information and options on installing Perl modules. =head1 BUGS AND LIMITATIONS -No bugs have been reported. - -Please report any bugs or feature requests through the web interface at -L<http://rt.cpan.org/Public/Dist/Display.html?Name=HTML-Scrubber>. +You can make new bug reports, and view existing ones, through the +web interface at L<http://rt.cpan.org/Public/Dist/Display.html?Name=HTML-Scrubber>. =head1 AVAILABILITY @@ -327,12 +336,7 @@ The project homepage is L<https://metacpan.org/release/HTML-Scrubber>. The latest version of this module is available from the Comprehensive Perl Archive Network (CPAN). Visit L<http://www.perl.com/CPAN/> to find a CPAN -site near you, or see L<http://search.cpan.org/dist/HTML-Scrubber/>. - -The development version lives at L<http://github.com/nigelm/html-scrubber> -and may be cloned from L<git://github.com/nigelm/html-scrubber.git>. -Instead of sending patches, please fork this project using the standard -git and github infrastructure. +site near you, or see L<https://metacpan.org/module/HTML::Scrubber/>. =head1 AUTHORS @@ -340,6 +344,10 @@ git and github infrastructure. =item * +Ruslan Zakirov <[email protected]> + +=item * + Nigel Metheringham <[email protected]> =item * @@ -350,7 +358,7 @@ D. H. <[email protected]> =head1 COPYRIGHT AND LICENSE -This software is copyright (c) 2012 by Nigel Metheringham, 2003-2004 D. H.. +This software is copyright (c) 2013 by Ruslan Zakirov, Nigel Metheringham, 2003-2004 D. H.. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libhtml-scrubber-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits
