[libhtml-scrubber-perl] 05/13: RT3008 Changed examples to be XSS free
Florian Schlichting
fsfs at moszumanska.debian.org
Sat Nov 11 13:46:05 UTC 2017
This is an automated email from the git hooks/post-receive script.
fsfs pushed a commit to annotated tag release/0.10-TRIAL
in repository libhtml-scrubber-perl.
commit e281c77e07a30ca61635b9b6672291ea25859e87
Author: Nigel Metheringham <nigelm at cpan.org>
Date: Tue Feb 7 21:22:55 2012 +0000
RT3008 Changed examples to be XSS free
---
Changes | 1 +
lib/HTML/Scrubber.pm | 6 +++---
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/Changes b/Changes
index 399943c..7d16e79 100644
--- a/Changes
+++ b/Changes
@@ -1,6 +1,7 @@
Revision history for Perl extension HTML::Scrubber.
{{$NEXT}}
+ - RT3008 Changed examples to be XSS free
0.09 2011-04-01 16:35:50 Europe/London
- Basic conversion to Dist::Zilla/git
diff --git a/lib/HTML/Scrubber.pm b/lib/HTML/Scrubber.pm
index 23ff39d..b018ea1 100644
--- a/lib/HTML/Scrubber.pm
+++ b/lib/HTML/Scrubber.pm
@@ -564,11 +564,11 @@ the default attribute rule is applied.
0 => # default rule, deny all tags
{
'*' => 1, # default rule, allow all attributes
- 'href' => qr{^(?!(?:java)?script)}i,
- 'src' => qr{^(?!(?:java)?script)}i,
+ 'href' => qr{^(?:http|https|ftp)://}i,
+ 'src' => qr{^(?:http|https|ftp)://}i,
# If your perl doesn't have qr
# just use a string with length greater than 1
- 'cite' => '(?i-xsm:^(?!(?:java)?script))',
+ 'cite' => '(?i-xsm:^(?:http|https|ftp):)',
'language' => 0,
'name' => 1, # could be sneaky, but hey ;)
'onblur' => 0,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libhtml-scrubber-perl.git
More information about the Pkg-perl-cvs-commits
mailing list