1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
# Whitewash: whitelist-based HTML validator for Ruby
# (originally written for Samizdat project)
#
# Copyright (c) 2002-2011 Dmitry Borodaenko <angdraug@debian.org>
#
# This program is free software.
# You can distribute/modify this program under the terms of
# the GNU General Public License version 3 or later.
#
# vim: et sw=2 sts=2 ts=8 tw=0
require 'rbconfig'
require 'nokogiri'
require 'yaml'
class WhitewashError < RuntimeError; end
class Whitewash
if RUBY_VERSION < '1.9.3'
def Whitewash.load(string)
YAML.load(string)
end
else
# use Syck to parse the whitelist until Psych issue #36 is fixed
#
def Whitewash.load(string)
Mutex.new.synchronize do
yamler = YAML::ENGINE.yamler
YAML::ENGINE.yamler = 'syck'
whitelist = YAML.load(string)
YAML::ENGINE.yamler = yamler
whitelist
end
end
end
def Whitewash.default_whitelist
unless found = PATH.find {|dir| File.readable?(File.join(dir, WHITELIST)) }
raise RuntimeError, "Can't find default whitelist"
end
File.open(File.join(found, WHITELIST)) {|f| Whitewash.load(f.read.untaint) }
end
# _whitelist_ is expected to be loaded from xhtml.yaml.
#
def initialize(whitelist = Whitewash.default_whitelist)
@whitelist = whitelist
end
attr_reader :xhtml
CSS = Regexp.new(%r{
\A\s*
([-a-z0-9]+) : \s*
(?: (?: [-./a-z0-9]+ | \#[0-9a-f]+ | [0-9]+% ) \s* ) +
\s*\z
}xi).freeze
def check_style(whitelist, style)
css = whitelist['_css'] or return true
style.split(';').each do |s|
return false unless
s =~ CSS and css.include? $1
end
true
end
# compare elements and attributes with the whitelist
#
def sanitize_element(xml, whitelist = @whitelist, &p)
if xml.name =~ /^_/ or not whitelist.keys.include?(xml.name)
xml.element_children.each {|e| sanitize_element(e, whitelist, &p) }
xml.replace(xml.children)
return
end
# sanitize CSS in <style> elements
if 'style' == xml.name and not check_style(whitelist, xml.content)
xml.remove
return
end
xml.attribute_nodes.each do |a|
attrs ||= whitelist['_common'].merge((whitelist[xml.name] or {}))
unless attrs[a.name] === a.to_s
xml.remove_attribute(a.name)
next
end
# sanitize CSS in style="" attributes
if 'style' == a.name and not check_style(whitelist, a.value)
xml.remove_attribute(a.name)
next
end
end
# recurse
xml.element_children.each {|e| sanitize_element(e, whitelist, &p) }
if block_given?
yield xml
end
end
# Return sanitized HTML.
#
# If block is supplied, it will be invoked for each Nokogiri::XML::Element
# in the sanitized HTML.
#
def sanitize(html, whitelist = @whitelist, &p)
xml = Nokogiri::HTML(html) {|config| config.noblanks }
xml = xml.xpath('//html/body').first
return '' if xml.nil?
sanitize_element(xml, whitelist, &p)
xml.children.to_xhtml
end
private
PATH = [ '/etc/ruby-whitewash',
File.join(RbConfig::CONFIG['datadir'].untaint, 'ruby-whitewash'),
'/usr/local/share/ruby-whitewash/' ]
WHITELIST = 'whitelist.yaml'
end
|
