james/yarr
4
0
Fork 0
mirror of https://github.com/nkanaev/yarr.git synced 2025-05-24 00:33:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

allow svg in sanitizer

Browse Source
This commit is contained in:
Nazar Kanaev 2021-04-07 14:34:57 +01:00
parent 30e6afb096
commit c2a28bcadf
4 changed files with 269 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/thirdparty.txt
View File

@ -11,8 +11,10 @@ The licenses are included, and the authorship comments are left intact.
- sanitizer - sanitizer
https://github.com/miniflux/v2 (commit:3cb04b2) Apache 2.0 https://github.com/miniflux/v2 (commit:3cb04b2) Apache 2.0
changed allowed tags to the one from https://github.com/cure53/DOMPurify whitelist changed to the ones from https://github.com/cure53/DOMPurify:
changed allowed uri schemes to the one from https://github.com/cure53/DOMPurify - allowed tags
- allowed uri schemes
- added svg whitelist
- systray - systray
https://github.com/getlantern/systray (commit:2c0986d) Apache 2.0 https://github.com/getlantern/systray (commit:2c0986d) Apache 2.0

2
doc/todo.txt
View File

@ -1,5 +1,3 @@
- fix: sanitizer/readability clearing out svg?
https://preshing.com/20210315/how-cpp-resolves-a-function-call/
- fix: text is garbled in - fix: text is garbled in
https://www.tedinski.com/2019/11/17/book-status-update.html https://www.tedinski.com/2019/11/17/book-status-update.html
- fix: focus on the newly added feed - fix: focus on the newly added feed

13
src/content/sanitizer/sanitizer.go
View File

@ -51,7 +51,7 @@ func Sanitize(baseURL, input string) string {
buffer.WriteString(html.EscapeString(token.Data)) buffer.WriteString(html.EscapeString(token.Data))
case html.StartTagToken: case html.StartTagToken:
tagName := token.DataAtom.String() tagName := token.Data
parentTag = tagName parentTag = tagName
if isValidTag(tagName) { if isValidTag(tagName) {
@ -70,14 +70,14 @@ func Sanitize(baseURL, input string) string {
blacklistedTagDepth++ blacklistedTagDepth++
} }
case html.EndTagToken: case html.EndTagToken:
tagName := token.DataAtom.String() tagName := token.Data
if isValidTag(tagName) && inList(tagName, tagStack) { if isValidTag(tagName) && inList(tagName, tagStack) {
buffer.WriteString(fmt.Sprintf("</%s>", tagName)) buffer.WriteString(fmt.Sprintf("</%s>", tagName))
} else if isBlockedTag(tagName) { } else if isBlockedTag(tagName) {
blacklistedTagDepth-- blacklistedTagDepth--
} }
case html.SelfClosingTagToken: case html.SelfClosingTagToken:
tagName := token.DataAtom.String() tagName := token.Data
if isValidTag(tagName) { if isValidTag(tagName) {
attrNames, htmlAttributes := sanitizeAttributes(baseURL, tagName, token.Attr) attrNames, htmlAttributes := sanitizeAttributes(baseURL, tagName, token.Attr)
@ -157,13 +157,18 @@ func getExtraAttributes(tagName string) ([]string, []string) {
} }
func isValidTag(tagName string) bool { func isValidTag(tagName string) bool {
return allowedTags.has(tagName) x := allowedTags.has(tagName) || allowedSvgTags.has(tagName) || allowedSvgFilters.has(tagName)
//fmt.Println(tagName, x)
return x
} }
func isValidAttribute(tagName, attributeName string) bool { func isValidAttribute(tagName, attributeName string) bool {
if attrs, ok := allowedAttrs[tagName]; ok { if attrs, ok := allowedAttrs[tagName]; ok {
return attrs.has(attributeName) return attrs.has(attributeName)
} }
if allowedSvgTags.has(tagName) {
return allowedSvgAttrs.has(attributeName)
}
return false return false
} }

256
src/content/sanitizer/whitelist.go
View File

@ -138,6 +138,78 @@ var allowedTags = sset([]string{
"wbr", "wbr",
}) })
var allowedSvgTags = sset([]string{
"svg",
"a",
"altglyph",
"altglyphdef",
"altglyphitem",
"animatecolor",
"animatemotion",
"animatetransform",
"circle",
"clippath",
"defs",
"desc",
"ellipse",
"filter",
"font",
"g",
"glyph",
"glyphref",
"hkern",
"image",
"line",
"lineargradient",
"marker",
"mask",
"metadata",
"mpath",
"path",
"pattern",
"polygon",
"polyline",
"radialgradient",
"rect",
"stop",
//"style",
"switch",
"symbol",
"text",
"textpath",
"title",
"tref",
"tspan",
"view",
"vkern",
})
var allowedSvgFilters = sset([]string{
"feBlend",
"feColorMatrix",
"feComponentTransfer",
"feComposite",
"feConvolveMatrix",
"feDiffuseLighting",
"feDisplacementMap",
"feDistantLight",
"feFlood",
"feFuncA",
"feFuncB",
"feFuncG",
"feFuncR",
"feGaussianBlur",
"feMerge",
"feMergeNode",
"feMorphology",
"feOffset",
"fePointLight",
"feSpecularLighting",
"feSpotLight",
"feTile",
"feTurbulence",
})
var allowedAttrs = map[string]set{ var allowedAttrs = map[string]set{
"img": sset([]string{"alt", "title", "src", "srcset", "sizes"}), "img": sset([]string{"alt", "title", "src", "srcset", "sizes"}),
"audio": sset([]string{"src"}), "audio": sset([]string{"src"}),
@ -153,6 +225,190 @@ var allowedAttrs = map[string]set{
"iframe": sset([]string{"width", "height", "frameborder", "src", "allowfullscreen"}), "iframe": sset([]string{"width", "height", "frameborder", "src", "allowfullscreen"}),
} }
var allowedSvgAttrs = sset([]string{
"accent-height",
"accumulate",
"additive",
"alignment-baseline",
"ascent",
"attributename",
"attributetype",
"azimuth",
"basefrequency",
"baseline-shift",
"begin",
"bias",
"by",
"class",
"clip",
"clippathunits",
"clip-path",
"clip-rule",
"color",
"color-interpolation",
"color-interpolation-filters",
"color-profile",
"color-rendering",
"cx",
"cy",
"d",
"dx",
"dy",
"diffuseconstant",
"direction",
"display",
"divisor",
"dur",
"edgemode",
"elevation",
"end",
"fill",
"fill-opacity",
"fill-rule",
"filter",
"filterunits",
"flood-color",
"flood-opacity",
"font-family",
"font-size",
"font-size-adjust",
"font-stretch",
"font-style",
"font-variant",
"font-weight",
"fx",
"fy",
"g1",
"g2",
"glyph-name",
"glyphref",
"gradientunits",
"gradienttransform",
"height",
"href",
"id",
"image-rendering",
"in",
"in2",
"k",
"k1",
"k2",
"k3",
"k4",
"kerning",
"keypoints",
"keysplines",
"keytimes",
"lang",
"lengthadjust",
"letter-spacing",
"kernelmatrix",
"kernelunitlength",
"lighting-color",
"local",
"marker-end",
"marker-mid",
"marker-start",
"markerheight",
"markerunits",
"markerwidth",
"maskcontentunits",
"maskunits",
"max",
"mask",
"media",
"method",
"mode",
"min",
"name",
"numoctaves",
"offset",
"operator",
"opacity",
"order",
"orient",
"orientation",
"origin",
"overflow",
"paint-order",
"path",
"pathlength",
"patterncontentunits",
"patterntransform",
"patternunits",
"points",
"preservealpha",
"preserveaspectratio",
"primitiveunits",
"r",
"rx",
"ry",
"radius",
"refx",
"refy",
"repeatcount",
"repeatdur",
"restart",
"result",
"rotate",
"scale",
"seed",
"shape-rendering",
"specularconstant",
"specularexponent",
"spreadmethod",
"startoffset",
"stddeviation",
"stitchtiles",
"stop-color",
"stop-opacity",
"stroke-dasharray",
"stroke-dashoffset",
"stroke-linecap",
"stroke-linejoin",
"stroke-miterlimit",
"stroke-opacity",
"stroke",
"stroke-width",
//"style",
"surfacescale",
"systemlanguage",
"tabindex",
"targetx",
"targety",
"transform",
"text-anchor",
"text-decoration",
"text-rendering",
"textlength",
"type",
"u1",
"u2",
"unicode",
"values",
"viewbox",
"visibility",
"version",
"vert-adv-y",
"vert-origin-x",
"vert-origin-y",
"width",
"word-spacing",
"wrap",
"writing-mode",
"xchannelselector",
"ychannelselector",
"x",
"x1",
"x2",
"xmlns",
"y",
"y1",
"y2",
"z",
"zoomandpan",
})
var allowedURISchemes = sset([]string{ var allowedURISchemes = sset([]string{
"http", "http",
"https", "https",