forks
/
arsd
mirror of https://github.com/adamdruppe/arsd.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

better sanitiations

This commit is contained in:
Adam D. Ruppe 2013-05-23 16:48:18 -04:00
parent af2ee83505
commit 0d8022877b
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
html.d
View File

@ -139,8 +139,8 @@ Element sanitizedHtml(/*in*/ Element userContent, string idPrefix = null, HtmlFe
// this space is intentionally left blank
} else {
// it's allowed but let's make sure it's completely valid
if(!(allow & HtmlFeatures.classes)) {
// don't allow the class attribute
if(k == "class" && (allow & HtmlFeatures.classes)) {
e.setAttribute("class", v);
} else if(k == "id") {
if(idPrefix !is null)
e.setAttribute(k, idPrefix ~ v);
@ -149,9 +149,9 @@ Element sanitizedHtml(/*in*/ Element userContent, string idPrefix = null, HtmlFe
if(allow & HtmlFeatures.css) {
e.setAttribute(k, sanitizeCss(v));
}
} else if(k == "href" || k == "src")
} else if(k == "href" || k == "src") {
e.setAttribute(k, sanitizeUrl(v));
else
} else
e.setAttribute(k, v); // allowed attribute
}
}
@ -179,7 +179,7 @@ string sanitizeCss(string css) {
string sanitizeUrl(string url) {
// FIXME: support other options; this is more restrictive than it has to be
if(url.startsWith("http://") || url.startsWith("https://"))
if(url.startsWith("http://") || url.startsWith("https://") || url.startsWith("//"))
return url;
return null;
}