diff --git a/html.d b/html.d index 52e6dbf..1a6fa7b 100644 --- a/html.d +++ b/html.d @@ -29,6 +29,7 @@ enum HtmlFeatures : uint { objects = 64, /// The tag, which can link to many things, including Flash. iframes = 128, /// The tag. sandbox and restrict attributes are always added. classes = 256, /// The class="" attribute + forms = 512, /// HTML forms } /// The things to allow in links, images, css, and aother urls. @@ -53,7 +54,9 @@ string[] htmlTagWhitelist = [ "h1", "h2", "h3", "h4", "h5", "h6", "abbr", - "img", "object", "audio", "video", "a", "source" // note that these usually *are* stripped out - see HtmlFeatures- but this lets them get into stage 2 + "img", "object", "audio", "video", "a", "source", // note that these usually *are* stripped out - see HtmlFeatures- but this lets them get into stage 2 + + "form", "input", "textarea", "legend", "fieldset", "label", // ditto, but with HtmlFeatures.forms // style isn't here ]; @@ -69,8 +72,9 @@ string[] htmlAttributeWhitelist = [ "colspan", "rowspan", "title", "alt", "class", - "href", "src", "type", + "href", "src", "type", "name", "id", + "method", "enctype", // for forms only FIXME "align", "valign", "width", "height", ]; @@ -114,6 +118,15 @@ Element sanitizedHtml(/*in*/ Element userContent, string idPrefix = null, HtmlFe ||(!(allow & HtmlFeatures.audio) && e.tagName == "audio") ||(!(allow & HtmlFeatures.objects) && e.tagName == "object") ||(!(allow & HtmlFeatures.iframes) && e.tagName == "iframe") + ||(!(allow & HtmlFeatures.forms) && ( + e.tagName == "form" || + e.tagName == "input" || + e.tagName == "textarea" || + e.tagName == "label" || + e.tagName == "fieldset" || + e.tagName == "legend" || + 1 + )) ) { e.innerText = e.innerText; // strips out non-text children e.stripOut;