Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Sanitizing HTML input

  • Loading branch information...
commit 7064e8bdccb42eb2a1973b6c4803339087d868b1 1 parent 49a2bce
Michael Snoyman snoyberg authored
Showing with 7 additions and 4 deletions.
  1. +2 −1  Yesod/Form/Nic.hs
  2. +2 −1  Yesod/Form/Profiles.hs
  3. +3 −2 yesod.cabal
3  Yesod/Form/Nic.hs
View
@@ -10,6 +10,7 @@ import Yesod.Form.Core
import Yesod.Hamlet
import Yesod.Widget
import qualified Data.ByteString.Lazy.UTF8 as U
+import Text.HTML.SanitizeXSS (sanitizeXSS)
class YesodNic a where
-- | NIC Editor.
@@ -24,7 +25,7 @@ maybeNicHtmlField = optionalFieldHelper nicHtmlFieldProfile
nicHtmlFieldProfile :: YesodNic y => FieldProfile sub y Html
nicHtmlFieldProfile = FieldProfile
- { fpParse = Right . preEscapedString
+ { fpParse = Right . preEscapedString . sanitizeXSS
, fpRender = U.toString . renderHtml
, fpWidget = \theId name val _isReq -> do
addBody [$hamlet|%textarea.html#$theId$!name=$name$ $val$|]
3  Yesod/Form/Profiles.hs
View
@@ -27,6 +27,7 @@ import qualified Data.ByteString.Lazy.UTF8 as U
import qualified Text.Email.Validate as Email
import Network.URI (parseURI)
import Database.Persist (PersistField)
+import Text.HTML.SanitizeXSS (sanitizeXSS)
import Text.Blaze.Builder.Utf8 (writeChar)
import Text.Blaze.Builder.Core (writeList, writeByteString)
@@ -77,7 +78,7 @@ timeFieldProfile = FieldProfile
htmlFieldProfile :: FieldProfile sub y Html
htmlFieldProfile = FieldProfile
- { fpParse = Right . preEscapedString
+ { fpParse = Right . preEscapedString . sanitizeXSS
, fpRender = U.toString . renderHtml
, fpWidget = \theId name val _isReq -> addBody [$hamlet|
%textarea.html#$theId$!name=$name$ $val$
5 yesod.cabal
View
@@ -25,7 +25,7 @@ library
, time >= 1.1.4 && < 1.3
, wai >= 0.2.0 && < 0.3
, wai-extra >= 0.2.2 && < 0.3
- , authenticate >= 0.6.3 && < 0.7
+ , authenticate >= 0.6.3.2 && < 0.7
, bytestring >= 0.9.1.4 && < 0.10
, directory >= 1 && < 1.2
, text >= 0.5 && < 0.10
@@ -42,7 +42,7 @@ library
, cereal >= 0.2 && < 0.3
, dataenc >= 0.13.0.2 && < 0.14
, old-locale >= 1.0.0.2 && < 1.1
- , persistent >= 0.2.0 && < 0.3
+ , persistent >= 0.2.2 && < 0.3
, neither >= 0.0.0 && < 0.1
, MonadCatchIO-transformers >= 0.2.2.0 && < 0.3
, data-object >= 0.3.1 && < 0.4
@@ -50,6 +50,7 @@ library
, email-validate >= 0.2.5 && < 0.3
, process >= 1.0.1 && < 1.1
, web-routes >= 0.23 && < 0.24
+ , xss-sanitize >= 0.1.1 && < 0.2
exposed-modules: Yesod
Yesod.Content
Yesod.Dispatch
Please sign in to comment.
Something went wrong with that request. Please try again.