qw(OK FORBIDDEN NOT_FOUND HTTP_INTERNAL_SERVER_ERROR HTTP_BAD_REQUEST);
use Apache2::RequestRec;
use CGI;
-# Requires a new CPAN module.
-# Leaving commented for now to ease testing, pending agreement on the
-# approach for html srubbing.
-# $ sudo cpan HTML::Restrict
-#use HTML::Restrict;
+use HTML::Defang;
use OpenSRF::Utils::JSON;
use OpenSRF::System;
use OpenSRF::Utils::SettingsClient;
return Apache2::Const::OK;
}
-# Remove all but the following elements and attributes from text/html
-# compiled content.
-my $rules = {
- b => [qw(class style)],
- caption => [qw(class style)],
- center => [qw(class style)],
- div => [qw(class style)],
- em => [qw(class style)],
- i => [qw(class style)],
- img => [qw(class style src)],
- li => [qw(class style)],
- ol => [qw(class style)],
- p => [qw(class style)],
- span => [qw(class style)],
- strong => [qw(class style)],
- style => [],
- sub => [qw(class style)],
- sup => [qw(class style)],
- table => [qw(class style)],
- tbody => [qw(class style)],
- td => [qw(class style)],
- th => [qw(class style)],
- thead => [qw(class style)],
- tr => [qw(class style)],
- u => [qw(class style)],
- ul => [qw(class style)],
-};
-
-my $hr;
-#my $hr = HTML::Restrict->new(rules => $rules);
+# HTML scrubber
+# https://metacpan.org/pod/HTML::Defang
+my $defang = HTML::Defang->new;
sub handler {
my $r = shift;
if ($stat) { # OK
my $ctype = $template->content_type;
- if ($hr && $ctype eq 'text/html') {
- $output = $hr->process($output); # Scrub the HTML
+ if ($ctype eq 'text/html') {
+ $output = $defang->defang($output); # Scrub the HTML
}
# TODO
# client current expects content type to only contain type.
projects / working / Evergreen.git / commitdiff