changeset 540:c5c5e955f0f1

remove (incomplete) style sanitizing, cfg.span_supports_style determines if we have full style support or no style support
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Thu, 24 Jun 2010 12:45:24 +0200
parents ff3037c75bb1
children df335ad9a37d
files data/plugin/macro/span.py
diffstat 1 files changed, 19 insertions(+), 78 deletions(-) [+]
line wrap: on
line diff
--- a/data/plugin/macro/span.py	Thu Jun 24 12:32:37 2010 +0200
+++ b/data/plugin/macro/span.py	Thu Jun 24 12:45:24 2010 +0200
@@ -9,15 +9,20 @@
         dir
         title
     
-    Partially supported attrs:
-        if SUPPORT_STYLE_ATTR is True:
-        style - only support safe properties that are on whitelist,  others
-                could contain javascript and thus, be dangerous (XSS etc.)!
-        
-        if SUPPORT_STYLE_ATTR is False:
+    Conditionally supported attrs:
+        if cfg.span_supports_style is False (default):
         style - macro argument is accepted, but will be silently ignored, it
                 won't create style attribute output.
 
+        if cfg.span_supports_style is True (not default, DANGEROUS!):
+        style - fully support span style attr, including potentially dangerous
+                use of style. style attr value is too complex and browsers
+                behave too differently to be able to filter this with
+                reasonable effort. For details, please see:
+                http://www.feedparser.org/docs/html-sanitization.html
+                In short: can contain or load javascript, at least 2 different
+                kinds of hiding stuff using character escaping, etc.
+
     Unsupported attrs:
         event attrs - unsafe, can contain javascript, XSS danger
         align - deprecated by the W3C (use css classes)
@@ -28,77 +33,16 @@
     <<span(id=foobar)>>some text in a span with id foobar<<span>>
     <<span(title="read this!")>>some text with a mouseover title<<span>>
 
-    if SUPPORT_STYLE_ATTR is True, this also works:
+    if cfg.span_supports_style is True, this also works:
     <<span(style="color: red; font: 20pt sans-serif;")>>20pt sans-serif red<<span>>
 
     @copyright: 2010 MoinMoin:ThomasWaldmann
     @license: GNU GPL, see COPYING for details.
 """
 
-SUPPORT_STYLE_ATTR = True  # True should be safe, False is safer :)
-
 Dependencies = []
 
 
-def make_style_safe(style, whitelist=None):
-    """
-    make html 'style' attribute value safe, only accept property names in whitelist,
-    if whitelist is None, use builtin WHITELIST
-    """
-    # whitelist of safe style attributes, taken from:
-    # http://validator.w3.org/feed/docs/warning/DangerousStyleAttr.html
-    WHITELIST = ("azimuth,background,background-color,border,border-bottom,"
-                 "border-bottom-color,border-bottom-style,border-bottom-width,"
-                 "border-collapse,border-color,border-left,border-left-color,"
-                 "border-left-style,border-left-width,border-right,border-right-color,"
-                 "border-right-style,border-right-width,border-spacing,border-style,"
-                 "border-top,border-top-color,border-top-style,border-top-width,"
-                 "border-width,clear,color,cursor,direction,display,elevation,"
-                 "float,font,font-family,font-size,font-style,font-variant,"
-                 "font-weight,height,letter-spacing,line-height,margin,"
-                 "margin-bottom,margin-left,margin-right,margin-top,overflow,"
-                 "padding,padding-bottom,padding-left,padding-right,padding-top,"
-                 "pause,pause-after,pause-before,pitch,pitch-range,richness,"
-                 "speak,speak-header,speak-numeral,speak-punctuation,speech-rate,"
-                 "stress,text-align,text-decoration,text-indent,unicode-bidi,"
-                 "vertical-align,voice-family,volume,white-space,width").split(',')
-
-    def style_split(style):
-        """
-        split style into a list of declarations,
-        split the declarations into property, value tuples,
-        remove all surrounding whitespace
-        """
-        decls = []
-        for decl in style.split(u';'):
-            decl = decl.split(u':', 1)
-            if len(decl) == 2:
-                prop = decl[0].strip()
-                val = decl[1].strip()
-                decls.append((prop, val))
-        return decls
-
-    def style_join(decls):
-        """
-        join a list of prop, value tuples into a style declaration
-        """
-        decls = [u'%s: %s' % (prop, val) for prop, val in decls]
-        style = u'; '.join(decls)
-        return style
-
-    def decl_filter(decls, whitelist):
-        """
-        filter a list of prop, value tuples, only let whitelisted props through
-        """
-        whitelist = whitelist or WHITELIST
-        return [(prop, val) for prop, val in decls if prop in whitelist]
-
-    decls = style_split(style)
-    decls = decl_filter(decls, whitelist)
-    style = style_join(decls)
-    return style
-
-
 def macro_span(macro,
                # first the stuff we can directly give to span formatter:
                css_class=u'',
@@ -122,17 +66,14 @@
         if value:
             attrs[key] = value
 
-    if SUPPORT_STYLE_ATTR:
-        safe_style = make_style_safe(style)
-        if safe_style:
-            attrs['style'] = safe_style
-        # note: if some style was given, we create an opening tag,
-        # even if safe_style is empty (because style was all crap).
-        do_open = bool(style) or bool(attrs)
-    else:
-        do_open = bool(attrs)
+    support_style = bool(getattr(macro.request.cfg, 'span_supports_style', False))
+    if support_style:
+        if style:
+            attrs['style'] = style
 
-    if do_open:
+    # if (some attr) or some style was given, we create an opening tag,
+    # even if it was ONLY a style and we don't support style.
+    if attrs or style:
         return macro.formatter.span(True, **attrs)
     else:
         return macro.formatter.span(False)