Permalink
Browse files

Added xss-sanitize configuaration option.

Setting it to no turns of sanitization, enabling
file:// URLs and other things that get filtered out
by xss-sanitize.
  • Loading branch information...
John MacFarlane
John MacFarlane committed Aug 28, 2011
1 parent 738235c commit 8f3e8f5c5a435b36d936375e18ce7286d0f391b8
Showing with 12 additions and 3 deletions.
  1. +4 −1 Network/Gitit/Config.hs
  2. +2 −1 Network/Gitit/ContentTransformer.hs
  3. +3 −1 Network/Gitit/Types.hs
  4. +3 −0 data/default.conf
View
@@ -105,6 +105,7 @@ extractConfig cp = do
cfFeedRefreshTime <- get cp "DEFAULT" "feed-refresh-time"
cfPDFExport <- get cp "DEFAULT" "pdf-export"
cfPandocUserData <- get cp "DEFAULT" "pandoc-user-data"
+ cfXssSanitize <- get cp "DEFAULT" "xss-sanitize"
let (pt, lhs) = parsePageType cfDefaultPageType
let markupHelpFile = show pt ++ if lhs then "+LHS" else ""
markupHelpPath <- liftIO $ getDataFileName $ "data" </> "markupHelp" </> markupHelpFile
@@ -194,7 +195,9 @@ extractConfig cp = do
, pdfExport = cfPDFExport
, pandocUserData = if null cfPandocUserData
then Nothing
- else Just cfPandocUserData }
+ else Just cfPandocUserData
+ , xssSanitize = cfXssSanitize
+ }
case config' of
Left (ParseError e, e') -> error $ "Parse error: " ++ e ++ "\n" ++ e'
Left e -> error (show e)
@@ -338,7 +338,8 @@ pandocToHtml pandocContents = do
toc <- liftM ctxTOC get
bird <- liftM ctxBirdTracks get
cfg <- lift getConfig
- return $ primHtml $ T.unpack . sanitizeBalance . T.pack $
+ return $ primHtml $ T.unpack .
+ (if xssSanitize cfg then sanitizeBalance else id) . T.pack $
writeHtmlString defaultWriterOptions{
writerStandalone = True
, writerTemplate = "$if(toc)$\n$toc$\n$endif$\n$body$"
View
@@ -142,7 +142,9 @@ data Config = Config {
-- | Allow PDF export?
pdfExport :: Bool,
-- | Directory to search for pandoc customizations
- pandocUserData :: Maybe FilePath
+ pandocUserData :: Maybe FilePath,
+ -- | Filter HTML through xss-sanitize
+ xssSanitize :: Bool
}
-- | Data for rendering a wiki page.
View
@@ -254,3 +254,6 @@ pandoc-user-data:
# specified, $HOME/.pandoc will be searched. See pandoc's README for
# more information.
+xss-sanitize: yes
+# if yes, all HTML (including that produced by pandoc) is filtered
+# through xss-sanitize. Set to no only if you trust all of your users.

0 comments on commit 8f3e8f5

Please sign in to comment.