add LICENSE, update README, cabalize
This commit is contained in:
Greg Weber
parent
705b84b75b
commit
632edcd7fc
25
LICENSE
Normal file
25
LICENSE
Normal file
@ -0,0 +1,25 @@
|
||||
The following license covers this documentation, and the source code, except
|
||||
where otherwise indicated.
|
||||
|
||||
Copyright 2010, Michael Snoyman. All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this
|
||||
list of conditions and the following disclaimer.
|
||||
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
this list of conditions and the following disclaimer in the documentation
|
||||
and/or other materials provided with the distribution.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS "AS IS" AND ANY EXPRESS OR
|
||||
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
|
||||
EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
|
||||
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
|
||||
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
||||
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
17
README
17
README
@ -1,17 +0,0 @@
|
||||
== Summary ==
|
||||
provides a function sanitizeXSS that removes XSS attacks from html.
|
||||
|
||||
== Use Case ==
|
||||
All html from an untrusted source (user of a web application) should be ran through this function.
|
||||
If you trust the html (you wrote it), you do not need to use this.
|
||||
|
||||
== Detail ==
|
||||
This is not escaping! Escaping html does prevents XSS attacks. Strings should be html escaped to show up properly and to prevent XSS attacks. However, escaping will ruin the display of the html.
|
||||
|
||||
This function removes any tags or attributes that are not in its white-list of safe html. This may sound picky, but most html should make it through unchanged, giving us the best of both worlds- safe, displayable html.
|
||||
|
||||
== Integration ==
|
||||
It is recommended to integrate this so that it is automatically used whenever an application receives untrusted html data (instead of before it is displayed). See the Yesod web framework as an example.
|
||||
|
||||
== Credit ==
|
||||
This was taken from John MacFarlane's Pandoc (with permission) but redone with a TagSoup parser and some performance enhancements.
|
||||
32
README.md
Normal file
32
README.md
Normal file
@ -0,0 +1,32 @@
|
||||
Summary
|
||||
=======
|
||||
provides a function Text.HTML.SanitizeXSS.sanitizeXSS that filters html to prevent XSS attacks.
|
||||
|
||||
Use Case
|
||||
========
|
||||
All html from an untrusted source (user of a web application) should be ran through this function.
|
||||
If you trust the html (you wrote it), you do not need to use this.
|
||||
|
||||
Detail
|
||||
========
|
||||
This is not escaping! Escaping html does prevents XSS attacks. Strings should be html escaped to show up properly and to prevent XSS attacks. However, escaping will ruin the display of the html.
|
||||
|
||||
This function removes any tags or attributes that are not in its white-list of. This may sound picky, but most html should make it through unchanged, making the proces unnoticeable to the user but giving us safe html.
|
||||
|
||||
Limitations
|
||||
-----------
|
||||
TagSoup is used to parse the HTML, and it does a good job. However TagSoup does not maintain all white space. TagSoup does not distinguish between the following cases:
|
||||
|
||||
<a href="foo">, <a href=foo>
|
||||
<a href>, <a href>
|
||||
<a></a>, <a/>
|
||||
|
||||
img and br tags will be output as a single self-closing tags. Other self-closing tags will be output as an open and closing pair. There are future updates to TagSoup planned to fix these cases.
|
||||
|
||||
Integration
|
||||
===========
|
||||
It is recommended to integrate this so that it is automatically used whenever an application receives untrusted html data (instead of before it is displayed). See the Yesod web framework as an example.
|
||||
|
||||
Credit
|
||||
===========
|
||||
This was taken from John MacFarlane's Pandoc (with permission) modified to be faster and parsing redone with TagSoup
|
||||
23
xss-sanitize.cabal
Normal file
23
xss-sanitize.cabal
Normal file
@ -0,0 +1,23 @@
|
||||
name: xss-sanitize
|
||||
version: 0.1
|
||||
license: BSD3
|
||||
license-file: LICENSE
|
||||
author: Greg Weber <greg@gregweber.info>
|
||||
maintainer: Greg Weber <greg@gregweber.info>
|
||||
synopsis: sanitize untrusted HTML to prevent XSS attacks
|
||||
description: sanitize untrusted HTML to prevent XSS attacks with Text.HTML.SanitizeXSS.sanitizeXSS. see README.md for more details
|
||||
|
||||
category: Text.HTML
|
||||
stability: Stable
|
||||
cabal-version: >= 1.6
|
||||
build-type: Simple
|
||||
homepage: http://github.com/gregwebs/haskell-xss-sanitize
|
||||
|
||||
library
|
||||
build-depends: tagsoup >= 0.11
|
||||
exposed-modules: Text.HTML.SanitizeXSS
|
||||
ghc-options: -Wall
|
||||
|
||||
source-repository head
|
||||
type: git
|
||||
location: http://github.com/gregwebs/haskell-xss-sanitize.git
|
||||
Loading…
Reference in New Issue
Block a user