HTML-Defang-1.04/0000755000000000000000000000000011510340034012051 5ustar rootrootHTML-Defang-1.04/MANIFEST0000644000000000000000000000036011510340034013201 0ustar rootrootChanges lib/HTML/Defang.pm Makefile.PL MANIFEST This list of files README t/01_basic.t t/02_xss.t t/03_styles.t t/04_imports.t t/05_callbacks.t t/06_unicode.t META.yml Module meta-data (added by MakeMaker) HTML-Defang-1.04/README0000644000000000000000000000120711510337762012747 0ustar rootrootHTML-Defang version 1.04 ======================== This module accepts an input HTML and/or CSS string and removes any executable code including scripting, embedded objects, applets, etc., and neutralises any XSS attacks. A whitelist based approach is used which means only HTML known to be safe is allowed through. INSTALLATION To install this module type the following: perl Makefile.PL make make test make install DEPENDENCIES None COPYRIGHT AND LICENCE Copyright (C) 2003-2010 by Opera Software Australia Pty Ltd This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself. HTML-Defang-1.04/Changes0000644000000000000000000000434611510337754013372 0ustar rootrootRevision history for Perl extension HTML::Defang. 1.04 Mon Jan 03 12:00:00 2011 - Change defang_and_add_to_output to delay the defanging until after the current tag is actually emmitted to the output - If url callback has marked the attribute as to be defanged, skip result of attribute callback - Track tags as part of mismatched tag tracking - Replace magic constants of 0, 1 and 2 in HTML::Defang with exported constants DEFANG_NONE, DEFANG_ALWAYS and DEFANG_DEFAULT - allow attribute values upto 16384 chars long 1.03 Mon Jun 14 16:22:35 2010 - fix incorrect tag closing when "/" appears as attribute key - handle deep span nests with the same attrs, not just no attrs - we might not find the tag if we hit one that stops further breaking out, that's not an error to report - track noscript mismatched tags - more nested table tags fixes - unicode fixes on attribute/style entity expansions - more deep nested span/div hacks - avoid undef error - optimisation for nested inline tags within block tags - massive speedup on deeply nested tags - defang tweaks on large sets of style rules - use /\G..../gc matching on style rather than s/// - close/re-open inline tags across block tags - only convert \u sequences in stripped values - track mismatched

tags, and defang -- in a tag as well - need to strip -- in defanged tags because --'s in comments are bad 1.02 Mon Aug 24 18:00:00 2009 - add col and colgroup as possible ImplicitOpenTags - change to prevent double-defang by default. Add option to allow it. - open a new , not a if we need to open an implicit tag - add tbody back into list of implicit table tags - include & ... ; when encoding entity in new attributes - don't insert implicit open tag if it's the tag we actually just parsed - avoid excessive backtracking on some style tags. cleanup unquoting code - track tt blocks as well - add more tags to track - more quoting fixes - expand html entities in styles as well - don't unescape % sequences in URLs, just in stripped test value - in attributes, % sequences are only every 2 chars 1.01 Tue Apr 27 11:35:44 2009 - first public release 0.01 Tue Feb 24 17:50:13 2009 - original version; created by h2xs 1.23 with options -XAn HTML::Defang HTML-Defang-1.04/t/0000755000000000000000000000000011510340034012314 5ustar rootrootHTML-Defang-1.04/t/05_callbacks.t0000644000000000000000000015043211510337762014747 0ustar rootroot#!/usr/bin/perl -w BEGIN { do '/home/mod_perl/hm/ME/FindLibs.pm'; } use Test::More tests => 94; use HTML::Defang; use strict; my ($Res, $H); my ($DefangString, $CommentStartText, $CommentEndText) = ('defang_', '', ''); ################################# # Basic tag callback tests ################################# my $Defang = HTML::Defang->new( tags_to_callback => [ qw(img font unknown1 unknown2 button hr area) ], tags_callback => sub { my ($Context, $Defang, $Angle, $Tag, $IsEndTag, $AttributeHash, $HtmlR) = @_; my $DefangFlag = 2; $DefangFlag = 0 if $Tag eq "img" || $Tag eq "unknown1" || $Tag eq "button"; $DefangFlag = 1 if $Tag eq "font" || $Tag eq "unknown2" || $Tag eq "hr"; return $DefangFlag; } ); $H = < 2: 3: 4: 5: 6: 7: 8: 9: 14:

15: 16: 17:}, "Force skip known tag with closing tags and attributes"); like($Res, qr{14:}, "Force defang known tag with closing tags and attributes"); like($Res, qr{15:}, "Force skip unknown tag with closing tags and attributes"); like($Res, qr{16:}, "Force defang unknown tag with closing tags and attritues"); like($Res, qr{17: 14:
15: 16: 17: