[livejournal] r18758: LJSUP-8385: remove attrs from img tags i...

LJSUP-8385: remove attrs from img tags in entries and comments text.

U   trunk/cgi-bin/cleanhtml.pl

Modified: trunk/cgi-bin/cleanhtml.pl
===================================================================
--- trunk/cgi-bin/cleanhtml.pl	2011-03-31 08:46:10 UTC (rev 18757)
+++ trunk/cgi-bin/cleanhtml.pl	2011-03-31 08:50:36 UTC (rev 18758)
@@ -60,6 +60,7 @@
 #        'transform_embed_wmode' => <value>, # define a wmode value for videos (usually 'transparent' is the value you want)
 #        'blocked_links' => [ qr/evil\.com/, qw/spammer\.com/ ], # list of sites which URL's will be blocked
 #        'blocked_link_substitute' => 'http://domain.com/error.html' # blocked links will be replaced by this URL
+#        'allowed_img_attrs'  => hashref of allowed img attibutes, other attrs are removed.
 #        'remove_all_attribs' => 1, # remove all attributes from html tags
 #        'remove_attribs' => [qw/id class style/], # remove specified attributes only
 #     });
@@ -154,7 +155,6 @@
     my $remove_positioning = $opts->{'remove_positioning'} || 0;
     my $target = $opts->{'target'} || '';
     my $ljrepost_allowed = ($opts->{ljrepost_allowed} && ! $opts->{'textonly'}) || 0;
-    my $opt_no_img_wh = $opts->{img_no_wh};
 
     my $viewer_lang = $opts->{'viewer_lang'};
     unless ($viewer_lang) {
@@ -762,11 +762,6 @@
                         }
                     }
 
-                    if ($tag eq 'img' and $opt_no_img_wh and $attr =~ /^width|height$/){
-                    ## remove width and height attributes from img tag
-                        delete $hash->{$attr};
-                    }
-
                     ## warning: in commets left by anonymous users, <img src="something">
                     ## is replaced by <a href="something"> (see 'extractimages' param)
                     ## If "something" is "data:<script ...", we'll get a vulnerability
@@ -944,6 +939,13 @@
                     }
                     if ($opts->{'extractimages'}) { $img_bad = 1; }
 
+                    ## Option 'allowed_img_attrs' provides a list of allowed attributes
+                    if (my $allowed = $opts->{'allowed_img_attrs'}){
+                        while (my ($attr, undef) = each %$hash){
+                            delete $hash->{$attr} unless $allowed->{$attr};
+                        }
+                    }
+
                     ## TODO: a better check of $hash->{src} is needed,
                     ## known (fixed) vulnerability is src="data:..."
                     $hash->{src} = canonical_url($hash->{src}, 1);