Committer: vsukhanov
LJSUP-8385: remove attrs from img tags in entries and comments text.U trunk/cgi-bin/cleanhtml.pl
Modified: trunk/cgi-bin/cleanhtml.pl =================================================================== --- trunk/cgi-bin/cleanhtml.pl 2011-03-31 08:46:10 UTC (rev 18757) +++ trunk/cgi-bin/cleanhtml.pl 2011-03-31 08:50:36 UTC (rev 18758) @@ -60,6 +60,7 @@ # 'transform_embed_wmode' => <value>, # define a wmode value for videos (usually 'transparent' is the value you want) # 'blocked_links' => [ qr/evil\.com/, qw/spammer\.com/ ], # list of sites which URL's will be blocked # 'blocked_link_substitute' => 'http://domain.com/error.html' # blocked links will be replaced by this URL +# 'allowed_img_attrs' => hashref of allowed img attibutes, other attrs are removed. # 'remove_all_attribs' => 1, # remove all attributes from html tags # 'remove_attribs' => [qw/id class style/], # remove specified attributes only # }); @@ -154,7 +155,6 @@ my $remove_positioning = $opts->{'remove_positioning'} || 0; my $target = $opts->{'target'} || ''; my $ljrepost_allowed = ($opts->{ljrepost_allowed} && ! $opts->{'textonly'}) || 0; - my $opt_no_img_wh = $opts->{img_no_wh}; my $viewer_lang = $opts->{'viewer_lang'}; unless ($viewer_lang) { @@ -762,11 +762,6 @@ } } - if ($tag eq 'img' and $opt_no_img_wh and $attr =~ /^width|height$/){ - ## remove width and height attributes from img tag - delete $hash->{$attr}; - } - ## warning: in commets left by anonymous users, <img src="something"> ## is replaced by <a href="something"> (see 'extractimages' param) ## If "something" is "data:<script ...", we'll get a vulnerability @@ -944,6 +939,13 @@ } if ($opts->{'extractimages'}) { $img_bad = 1; } + ## Option 'allowed_img_attrs' provides a list of allowed attributes + if (my $allowed = $opts->{'allowed_img_attrs'}){ + while (my ($attr, undef) = each %$hash){ + delete $hash->{$attr} unless $allowed->{$attr}; + } + } + ## TODO: a better check of $hash->{src} is needed, ## known (fixed) vulnerability is src="data:..." $hash->{src} = canonical_url($hash->{src}, 1);