From 4ef871472eb7105c9ef5a7d28c45b6ad40e8a075 Mon Sep 17 00:00:00 2001
From: Bill Erickson <berickxx@gmail.com>
Date: Tue, 16 Apr 2019 13:36:02 -0400
Subject: [PATCH] HTML::Restrict example (sudo cpan HTML::Restrict)

Signed-off-by: Bill Erickson <berickxx@gmail.com>
---
 .../src/perlmods/lib/OpenILS/WWW/PrintTemplate.pm  | 37 ++++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/PrintTemplate.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/PrintTemplate.pm
index 0be2c69782..436ea5cfb8 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/PrintTemplate.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/PrintTemplate.pm
@@ -4,6 +4,7 @@ use Apache2::Const -compile =>
     qw(OK FORBIDDEN NOT_FOUND HTTP_INTERNAL_SERVER_ERROR HTTP_BAD_REQUEST);
 use Apache2::RequestRec;
 use CGI;
+use HTML::Restrict;
 use OpenSRF::Utils::JSON;
 use OpenSRF::System;
 use OpenSRF::Utils::SettingsClient;
@@ -28,6 +29,34 @@ sub child_init {
     return Apache2::Const::OK;
 }
 
+# Remove all but the following elements and attributes from text/html
+# compiled content.
+my $rules = {
+    b       => [qw(class style)],
+    caption => [qw(class style)],
+    center  => [qw(class style)],
+    div     => [qw(class style)],
+    em      => [qw(class style)],
+    i       => [qw(class style)],
+    img     => [qw(class style src)],
+    li      => [qw(class style)],
+    ol      => [qw(class style)],
+    p       => [qw(class style)],
+    span    => [qw(class style)],
+    strong  => [qw(class style)],
+    style   => [],
+    sub     => [qw(class style)],
+    sup     => [qw(class style)],
+    table   => [qw(class style)],
+    tbody   => [qw(class style)],
+    td      => [qw(class style)],
+    th      => [qw(class style)],
+    thead   => [qw(class style)],
+    tr      => [qw(class style)],
+    u       => [qw(class style)],
+    ul      => [qw(class style)],
+};
+my $hr = HTML::Restrict->new(rules => $rules);
 
 sub handler {
     my $r = shift;
@@ -71,8 +100,12 @@ sub handler {
     my $stat = $tt->process(\$tmpl, {template_data => $data}, \$output);
 
     if ($stat) { # OK
-
-        $r->content_type($template->content_type . '; encoding=utf8');
+        my $ctype = $template->content_type;
+        if ($ctype eq 'text/html') {
+            # Scrub the HTML
+            $output = $hr->process($output);
+        }
+        $r->content_type("$ctype; encoding=utf8");
         $r->print($output);
         return Apache2::Const::OK;
 
-- 
2.11.0