Be more aggressive in HTML sanitization.

author: default 2022-10-28 18:06:42 +0200
committer: default 2022-10-28 18:06:42 +0200
commit: 5ee9504b1801f106f152ef9d60620ad88454d390 (patch)
tree: 8974400798b1a30c2b07cdebb6f6b8d4c7d8ccc1 /format.c
parent: Updated TODO. (diff)
download: snac2-5ee9504b1801f106f152ef9d60620ad88454d390.tar.gz
snac2-5ee9504b1801f106f152ef9d60620ad88454d390.tar.xz
snac2-5ee9504b1801f106f152ef9d60620ad88454d390.zip
1 files changed, 51 insertions, 0 deletions
diff --git a/format.c b/format.c
index 69efbdb..1c2a97a 100644
--- a/format.c
+++ b/format.c
@@ -150,3 +150,54 @@ d_char *not_really_markdown(char *content, d_char **f_content)
    return *f_content;
 }
+const char *valid_tags[] = {
+    "a", "p", "br", "img", "blockquote", "ul", "li", "span", NULL
+};
+d_char *sanitize(d_char *content)
+/* cleans dangerous HTML output */
+{
+    d_char *s = xs_str_new(NULL);
+    xs *sl;
+    int n = 0;
+    char *p, *v;
+    sl = xs_regex_split(content, "</?[^>]+>");
+    p = sl;
+    while (xs_list_iter(&p, &v)) {
+        if (n & 0x1) {
+            xs *s1  = xs_strip(xs_crop(xs_dup(v), v[1] == '/' ? 2 : 1, -1));
+            xs *l1  = xs_split_n(s1, " ", 1);
+            xs *tag = xs_tolower(xs_dup(xs_list_get(l1, 0)));
+            int i;
+            /* check if it's one of the valid tags */
+            for (i = 0; valid_tags[i]; i++) {
+                if (strcmp(tag, valid_tags[i]) == 0)
+                    break;
+            }
+            if (valid_tags[i]) {
+                /* accepted tag */
+                s = xs_str_cat(s, v);
+            }
+            else {
+                /* bad tag */
+                xs *s2 = xs_replace(v, "<", "&lt;");
+                s = xs_str_cat(s, s2);
+            }
+        }
+        else {
+            /* non-tag */
+            s = xs_str_cat(s, v);
+        }
+        n++;
+    }
+    return s;
+}
author	default	2022-10-28 18:06:42 +0200
committer	default	2022-10-28 18:06:42 +0200
commit	5ee9504b1801f106f152ef9d60620ad88454d390 (patch)
tree	8974400798b1a30c2b07cdebb6f6b8d4c7d8ccc1 /format.c
parent	Updated TODO. (diff)
download	snac2-5ee9504b1801f106f152ef9d60620ad88454d390.tar.gz snac2-5ee9504b1801f106f152ef9d60620ad88454d390.tar.xz snac2-5ee9504b1801f106f152ef9d60620ad88454d390.zip

diff --git a/format.c b/format.c index 69efbdb..1c2a97a 100644 --- a/format.c +++ b/format.c
@@ -150,3 +150,54 @@ d_char not_really_markdown(char content, d_char **f_content)
150		150
151	return *f_content;	151	return *f_content;
152	}	152	}
		153
		154
		155	const char *valid_tags[] = {
		156	"a", "p", "br", "img", "blockquote", "ul", "li", "span", NULL
		157	};
		158
		159	d_char sanitize(d_char content)
		160	/* cleans dangerous HTML output */
		161	{
		162	d_char *s = xs_str_new(NULL);
		163	xs *sl;
		164	int n = 0;
		165	char p, v;
		166
		167	sl = xs_regex_split(content, "</?[^>]+>");
		168
		169	p = sl;
		170
		171	while (xs_list_iter(&p, &v)) {
		172	if (n & 0x1) {
		173	xs *s1 = xs_strip(xs_crop(xs_dup(v), v[1] == '/' ? 2 : 1, -1));
		174	xs *l1 = xs_split_n(s1, " ", 1);
		175	xs *tag = xs_tolower(xs_dup(xs_list_get(l1, 0)));
		176	int i;
		177
		178	/* check if it's one of the valid tags */
		179	for (i = 0; valid_tags[i]; i++) {
		180	if (strcmp(tag, valid_tags[i]) == 0)
		181	break;
		182	}
		183
		184	if (valid_tags[i]) {
		185	/* accepted tag */
		186	s = xs_str_cat(s, v);
		187	}
		188	else {
		189	/* bad tag */
		190	xs *s2 = xs_replace(v, "<", "<");
		191	s = xs_str_cat(s, s2);
		192	}
		193	}
		194	else {
		195	/* non-tag */
		196	s = xs_str_cat(s, v);
		197	}
		198
		199	n++;
		200	}
		201
		202	return s;
		203	}