From: Bill Erickson Date: Fri, 24 May 2019 15:40:00 +0000 (-0400) Subject: LP1825851 Template generated uses HTML::Defang X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=51d1b932a1110e7c2cb5e104b4ff4a53be8d4d83;p=working%2FEvergreen.git LP1825851 Template generated uses HTML::Defang Signed-off-by: Bill Erickson --- diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/PrintTemplate.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/PrintTemplate.pm index 2c33f787c8..457a0f5917 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/PrintTemplate.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/PrintTemplate.pm @@ -4,11 +4,7 @@ use Apache2::Const -compile => qw(OK FORBIDDEN NOT_FOUND HTTP_INTERNAL_SERVER_ERROR HTTP_BAD_REQUEST); use Apache2::RequestRec; use CGI; -# Requires a new CPAN module. -# Leaving commented for now to ease testing, pending agreement on the -# approach for html srubbing. -# $ sudo cpan HTML::Restrict -#use HTML::Restrict; +use HTML::Defang; use OpenSRF::Utils::JSON; use OpenSRF::System; use OpenSRF::Utils::SettingsClient; @@ -33,36 +29,9 @@ sub child_init { return Apache2::Const::OK; } -# Remove all but the following elements and attributes from text/html -# compiled content. -my $rules = { - b => [qw(class style)], - caption => [qw(class style)], - center => [qw(class style)], - div => [qw(class style)], - em => [qw(class style)], - i => [qw(class style)], - img => [qw(class style src)], - li => [qw(class style)], - ol => [qw(class style)], - p => [qw(class style)], - span => [qw(class style)], - strong => [qw(class style)], - style => [], - sub => [qw(class style)], - sup => [qw(class style)], - table => [qw(class style)], - tbody => [qw(class style)], - td => [qw(class style)], - th => [qw(class style)], - thead => [qw(class style)], - tr => [qw(class style)], - u => [qw(class style)], - ul => [qw(class style)], -}; - -my $hr; -#my $hr = HTML::Restrict->new(rules => $rules); +# HTML scrubber +# https://metacpan.org/pod/HTML::Defang +my $defang = HTML::Defang->new; sub handler { my $r = shift; @@ -109,8 +78,8 @@ sub handler { if ($stat) { # OK my $ctype = $template->content_type; - if ($hr && $ctype eq 'text/html') { - $output = $hr->process($output); # Scrub the HTML + if ($ctype eq 'text/html') { + $output = $defang->defang($output); # Scrub the HTML } # TODO # client current expects content type to only contain type.