modification RE whiteliste HTML safe & MAJ cache standalone

4 years ago · e2f2c9149d
4 changed files with 8 additions and 8 deletions
--- a/inc/echapper_html_suspect.php
+++ b/inc/echapper_html_suspect.php
@ -1,13 +1,13 @@
 <?php

-
-
 function inc_echapper_html_suspect_dist($texte, $strict=true) {
 	if (!$texte
 		or strpos($texte, '<') === false or strpos($texte, '=') === false) {
 		return $texte;
 	}
-  if (preg_match("@^</?[a-z]{1,5}(\s+class\s*=\s*['\"][a-z _\s-]+['\"])?\s?/?>$@iS", $texte)) return $texte;
+  if ( preg_match("@^(</?(?!script)[a-z]+(\s+class\s*=\s*['\"][a-z _\s-]+['\"])?\s?/?>[\w\s]*)+$@iS", $texte) ){
+    return $texte; // input non filtré, $texte doit être safe !
+  }
  $texte = safehtml($texte); 
 	return $texte;
 }
--- a/lib/html5/HTMLPurifier.standalone.php
+++ b/lib/html5/HTMLPurifier.standalone.php
@ -16626,7 +16626,7 @@ class HTMLPurifier_HTMLModule_CommonAttributes extends HTMLPurifier_HTMLModule
            
            // https://www.w3.org/TR/microdata/
            'itemid' => 'ID',
-            'itemprop' => 'Text',            
+            'itemprop' => 'CDATA',            
            'itemscope' => 'Bool#itemscope',            
            'itemtype' => 'URI',            
            
@ -16913,7 +16913,7 @@ class HTMLPurifier_HTMLModule_Forms extends HTMLPurifier_HTMLModule
            'Common',
            array(
                'form' => 'ID',            
-                // 'for' => 'IDREF', // IDREF not implemented, cannot allow
+                'for' => 'ID', // IDREF not implemented, allow ID
            )
        );
        $label->excludes = array('label' => true);
--- a/paquet.xml
+++ b/paquet.xml
@ -1,7 +1,7 @@
 <paquet
 	prefix="htmlpurifier"
 	categorie="outil"
-	version="5.0.0.1"
+	version="5.0.0.2"
 	etat="dev"
 	compatibilite="[3.2.1;3.2.99]"
 	logo="htmlpurifier.png"
--- a/wheels/htmlpurifier/echappe-js.php
+++ b/wheels/htmlpurifier/echappe-js.php
@ -16,8 +16,8 @@ function echappe_anti_xss($match) {
        return "";
    }
    $texte = &$match[0];
-    if (preg_match("@^</?[a-z]{1,5}(\s+class\s*=\s*['\"][a-z _\s-]+['\"])?\s?/?>$@iS", $texte)){
-      return $texte;
+    if ( preg_match("@^(</?(?!script)[a-z]+(\s+class\s*=\s*['\"][a-z _\s-]+['\"])?\s?/?>[\w\s]*)+$@iS", $texte) ){
+      return $texte; // input non filtré, $texte doit être safe !
    }
    if (!isset($safehtml)) {
        $safehtml = charger_fonction('safehtml', 'inc', true);