From 69c8c83ab05004ad5dad42003edcd6815b091df0 Mon Sep 17 00:00:00 2001 From: Michael Snoyman Date: Thu, 28 Jun 2018 12:30:07 +0300 Subject: [PATCH 1/6] Stack --- .gitignore | 1 + stack.yaml | 1 + 2 files changed, 2 insertions(+) create mode 100644 stack.yaml diff --git a/.gitignore b/.gitignore index 33b854e..8d68844 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ dist .cabal-sandbox/ cabal.sandbox.config +.stack-work/ diff --git a/stack.yaml b/stack.yaml new file mode 100644 index 0000000..ff5b367 --- /dev/null +++ b/stack.yaml @@ -0,0 +1 @@ +resolver: lts-11.10 From 113ebdd32110fbd3c34ff8752b0b8a48b9b8be13 Mon Sep 17 00:00:00 2001 From: Michael Snoyman Date: Thu, 28 Jun 2018 12:32:40 +0300 Subject: [PATCH 2/6] src subdir --- {Text => src/Text}/HTML/SanitizeXSS.hs | 0 {Text => src/Text}/HTML/SanitizeXSS/Css.hs | 0 xss-sanitize.cabal | 8 ++++++-- 3 files changed, 6 insertions(+), 2 deletions(-) rename {Text => src/Text}/HTML/SanitizeXSS.hs (100%) rename {Text => src/Text}/HTML/SanitizeXSS/Css.hs (100%) diff --git a/Text/HTML/SanitizeXSS.hs b/src/Text/HTML/SanitizeXSS.hs similarity index 100% rename from Text/HTML/SanitizeXSS.hs rename to src/Text/HTML/SanitizeXSS.hs diff --git a/Text/HTML/SanitizeXSS/Css.hs b/src/Text/HTML/SanitizeXSS/Css.hs similarity index 100% rename from Text/HTML/SanitizeXSS/Css.hs rename to src/Text/HTML/SanitizeXSS/Css.hs diff --git a/xss-sanitize.cabal b/xss-sanitize.cabal index 4769546..58b69e6 100644 --- a/xss-sanitize.cabal +++ b/xss-sanitize.cabal @@ -19,6 +19,7 @@ flag network-uri default: True library + hs-source-dirs: src build-depends: base == 4.*, containers , tagsoup >= 0.12.2 && < 1 , utf8-string >= 0.3 && < 1.1 @@ -37,8 +38,11 @@ library test-suite test type: exitcode-stdio-1.0 - main-is: test/main.hs - cpp-options: -DTEST + hs-source-dirs: test, src + main-is: main.hs + other-modules: Text.HTML.SanitizeXSS + Text.HTML.SanitizeXSS.Css + cpp-options: -DTEST build-depends: base == 4.* , containers , tagsoup >= 0.12.2 && < 1 , utf8-string >= 0.3 && < 1.1 From 5ae126757848f62f504f57f0b3ba61003bf65105 Mon Sep 17 00:00:00 2001 From: Michael Snoyman Date: Thu, 28 Jun 2018 12:34:08 +0300 Subject: [PATCH 3/6] Drop older network support --- xss-sanitize.cabal | 25 ++++++------------------- 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/xss-sanitize.cabal b/xss-sanitize.cabal index 58b69e6..f348fef 100644 --- a/xss-sanitize.cabal +++ b/xss-sanitize.cabal @@ -9,14 +9,10 @@ description: run untrusted HTML through Text.HTML.SanitizeXSS.sanitizeXSS to category: Web stability: Stable -cabal-version: >= 1.8 +cabal-version: >= 1.8 build-type: Simple homepage: http://github.com/yesodweb/haskell-xss-sanitize -extra-source-files: README.md - -flag network-uri - description: Get Network.URI from the network-uri package - default: True +extra-source-files: README.md ChangeLog.md library hs-source-dirs: src @@ -26,15 +22,10 @@ library , css-text >= 0.1.1 && < 0.2 , text >= 0.11 && < 2 , attoparsec >= 0.10.0.3 && < 1 - - if flag(network-uri) - build-depends: network-uri >= 2.6 - else - build-depends: network < 2.6 + , network-uri >= 2.6 exposed-modules: Text.HTML.SanitizeXSS other-modules: Text.HTML.SanitizeXSS.Css - ghc-options: -Wall test-suite test type: exitcode-stdio-1.0 @@ -51,13 +42,9 @@ test-suite test , attoparsec >= 0.10.0.3 && < 1 , hspec >= 1.3 , HUnit >= 1.2 - - if flag(network-uri) - build-depends: network-uri >= 2.6 - else - build-depends: network < 2.6 + , network-uri >= 2.6 source-repository head - type: git - location: http://github.com/yesodweb/haskell-xss-sanitize.git + type: git + location: https://github.com/yesodweb/haskell-xss-sanitize.git From e1581e4006b74045584b682bcc13ec35a5152fb0 Mon Sep 17 00:00:00 2001 From: Michael Snoyman Date: Thu, 28 Jun 2018 12:36:06 +0300 Subject: [PATCH 4/6] hpack-ify --- .gitignore | 1 + package.yaml | 42 ++++++++++++++++++++++++++++++++++++++ xss-sanitize.cabal | 50 ---------------------------------------------- 3 files changed, 43 insertions(+), 50 deletions(-) create mode 100644 package.yaml delete mode 100644 xss-sanitize.cabal diff --git a/.gitignore b/.gitignore index 8d68844..a1d1961 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ dist .cabal-sandbox/ cabal.sandbox.config .stack-work/ +xss-sanitize.cabal diff --git a/package.yaml b/package.yaml new file mode 100644 index 0000000..2f29fe5 --- /dev/null +++ b/package.yaml @@ -0,0 +1,42 @@ +name: xss-sanitize +version: 0.3.5.7 +synopsis: sanitize untrusted HTML to prevent XSS attacks +description: run untrusted HTML through Text.HTML.SanitizeXSS.sanitizeXSS to prevent + XSS attacks. see README.md for + more details +category: Web +author: Greg Weber +maintainer: Michael Snoyman +license: BSD2 +github: yesodweb/haskell-xss-sanitize +stability: Stable + +extra-source-files: +- README.md +- ChangeLog.md + +dependencies: +- base ==4.* +- containers +- tagsoup >=0.12.2 && <1 +- utf8-string >=0.3 && <1.1 +- css-text >=0.1.1 && <0.2 +- text >=0.11 && <2 +- attoparsec >=0.10.0.3 && <1 +- network-uri >=2.6 + +library: + source-dirs: src + exposed-modules: + - Text.HTML.SanitizeXSS + +tests: + test: + main: main.hs + source-dirs: + - test + - src + cpp-options: -DTEST + dependencies: + - hspec >=1.3 + - HUnit >=1.2 diff --git a/xss-sanitize.cabal b/xss-sanitize.cabal deleted file mode 100644 index f348fef..0000000 --- a/xss-sanitize.cabal +++ /dev/null @@ -1,50 +0,0 @@ -name: xss-sanitize -version: 0.3.5.7 -license: BSD2 -license-file: LICENSE -author: Greg Weber -maintainer: Greg Weber -synopsis: sanitize untrusted HTML to prevent XSS attacks -description: run untrusted HTML through Text.HTML.SanitizeXSS.sanitizeXSS to prevent XSS attacks. see README.md for more details - -category: Web -stability: Stable -cabal-version: >= 1.8 -build-type: Simple -homepage: http://github.com/yesodweb/haskell-xss-sanitize -extra-source-files: README.md ChangeLog.md - -library - hs-source-dirs: src - build-depends: base == 4.*, containers - , tagsoup >= 0.12.2 && < 1 - , utf8-string >= 0.3 && < 1.1 - , css-text >= 0.1.1 && < 0.2 - , text >= 0.11 && < 2 - , attoparsec >= 0.10.0.3 && < 1 - , network-uri >= 2.6 - - exposed-modules: Text.HTML.SanitizeXSS - other-modules: Text.HTML.SanitizeXSS.Css - -test-suite test - type: exitcode-stdio-1.0 - hs-source-dirs: test, src - main-is: main.hs - other-modules: Text.HTML.SanitizeXSS - Text.HTML.SanitizeXSS.Css - cpp-options: -DTEST - build-depends: base == 4.* , containers - , tagsoup >= 0.12.2 && < 1 - , utf8-string >= 0.3 && < 1.1 - , css-text >= 0.1.1 && < 0.2 - , text >= 0.11 && < 2 - , attoparsec >= 0.10.0.3 && < 1 - , hspec >= 1.3 - , HUnit >= 1.2 - , network-uri >= 2.6 - - -source-repository head - type: git - location: https://github.com/yesodweb/haskell-xss-sanitize.git From 75cf17fd5039a2c02a42bf1d175b29136a10c7fb Mon Sep 17 00:00:00 2001 From: Michael Snoyman Date: Thu, 28 Jun 2018 12:36:50 +0300 Subject: [PATCH 5/6] Add CI --- .travis.yml | 237 +++++++++++++++++++++++++++++++++++++++++++++++++++ appveyor.yml | 36 ++++++++ package.yaml | 2 +- 3 files changed, 274 insertions(+), 1 deletion(-) create mode 100644 .travis.yml create mode 100644 appveyor.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..46bf888 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,237 @@ +# This is the complex Travis configuration, which is intended for use +# on open source libraries which need compatibility across multiple GHC +# versions, must work with cabal-install, and should be +# cross-platform. For more information and other options, see: +# +# https://docs.haskellstack.org/en/stable/travis_ci/ +# +# Copy these contents into the root directory of your Github project in a file +# named .travis.yml + +# Use new container infrastructure to enable caching +sudo: false + +# Do not choose a language; we provide our own build tools. +language: generic + +# Caching so the next build will be fast too. +cache: + directories: + - $HOME/.ghc + - $HOME/.cabal + - $HOME/.stack + - $TRAVIS_BUILD_DIR/.stack-work + +# The different configurations we want to test. We have BUILD=cabal which uses +# cabal-install, and BUILD=stack which uses Stack. More documentation on each +# of those below. +# +# We set the compiler values here to tell Travis to use a different +# cache file per set of arguments. +# +# If you need to have different apt packages for each combination in the +# matrix, you can use a line such as: +# addons: {apt: {packages: [libfcgi-dev,libgmp-dev]}} +matrix: + include: + # We grab the appropriate GHC and cabal-install versions from hvr's PPA. See: + # https://github.com/hvr/multi-ghc-travis + #- env: BUILD=cabal GHCVER=7.0.4 CABALVER=1.16 HAPPYVER=1.19.5 ALEXVER=3.1.7 + # compiler: ": #GHC 7.0.4" + # addons: {apt: {packages: [cabal-install-1.16,ghc-7.0.4,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}} + #- env: BUILD=cabal GHCVER=7.2.2 CABALVER=1.16 HAPPYVER=1.19.5 ALEXVER=3.1.7 + # compiler: ": #GHC 7.2.2" + # addons: {apt: {packages: [cabal-install-1.16,ghc-7.2.2,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}} + #- env: BUILD=cabal GHCVER=7.4.2 CABALVER=1.16 HAPPYVER=1.19.5 ALEXVER=3.1.7 + # compiler: ": #GHC 7.4.2" + # addons: {apt: {packages: [cabal-install-1.16,ghc-7.4.2,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}} + #- env: BUILD=cabal GHCVER=7.6.3 CABALVER=1.16 HAPPYVER=1.19.5 ALEXVER=3.1.7 + # compiler: ": #GHC 7.6.3" + # addons: {apt: {packages: [cabal-install-1.16,ghc-7.6.3,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}} + #- env: BUILD=cabal GHCVER=7.8.4 CABALVER=1.18 HAPPYVER=1.19.5 ALEXVER=3.1.7 + # compiler: ": #GHC 7.8.4" + # addons: {apt: {packages: [cabal-install-1.18,ghc-7.8.4,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}} + #- env: BUILD=cabal GHCVER=7.10.3 CABALVER=1.22 HAPPYVER=1.19.5 ALEXVER=3.1.7 + # compiler: ": #GHC 7.10.3" + # addons: {apt: {packages: [cabal-install-1.22,ghc-7.10.3,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}} + - env: BUILD=cabal GHCVER=8.0.2 CABALVER=1.24 HAPPYVER=1.19.5 ALEXVER=3.1.7 + compiler: ": #GHC 8.0.2" + addons: {apt: {packages: [cabal-install-1.24,ghc-8.0.2,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}} + - env: BUILD=cabal GHCVER=8.2.2 CABALVER=2.0 HAPPYVER=1.19.5 ALEXVER=3.1.7 + compiler: ": #GHC 8.2.2" + addons: {apt: {packages: [cabal-install-2.0,ghc-8.2.2,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}} + - env: BUILD=cabal GHCVER=8.4.3 CABALVER=2.2 HAPPYVER=1.19.5 ALEXVER=3.1.7 + compiler: ": #GHC 8.4.3" + addons: {apt: {packages: [cabal-install-2.2,ghc-8.4.3,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}} + + # Build with the newest GHC and cabal-install. This is an accepted failure, + # see below. + - env: BUILD=cabal GHCVER=head CABALVER=head HAPPYVER=1.19.5 ALEXVER=3.1.7 + compiler: ": #GHC HEAD" + addons: {apt: {packages: [cabal-install-head,ghc-head,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}} + + # The Stack builds. We can pass in arbitrary Stack arguments via the ARGS + # variable, such as using --stack-yaml to point to a different file. + - env: BUILD=stack ARGS="" + compiler: ": #stack default" + addons: {apt: {packages: [libgmp-dev]}} + + #- env: BUILD=stack ARGS="--resolver lts-2" + # compiler: ": #stack 7.8.4" + # addons: {apt: {packages: [libgmp-dev]}} + + #- env: BUILD=stack ARGS="--resolver lts-3" + # compiler: ": #stack 7.10.2" + # addons: {apt: {packages: [libgmp-dev]}} + + #- env: BUILD=stack ARGS="--resolver lts-6" + # compiler: ": #stack 7.10.3" + # addons: {apt: {packages: [libgmp-dev]}} + + #- env: BUILD=stack ARGS="--resolver lts-7" + # compiler: ": #stack 8.0.1" + # addons: {apt: {packages: [libgmp-dev]}} + + - env: BUILD=stack ARGS="--resolver lts-9" + compiler: ": #stack 8.0.2" + addons: {apt: {packages: [libgmp-dev]}} + + - env: BUILD=stack ARGS="--resolver lts-11" + compiler: ": #stack 8.2.2" + addons: {apt: {packages: [libgmp-dev]}} + + # Nightly builds are allowed to fail + - env: BUILD=stack ARGS="--resolver nightly" + compiler: ": #stack nightly" + addons: {apt: {packages: [libgmp-dev]}} + + # Build on macOS in addition to Linux + - env: BUILD=stack ARGS="" + compiler: ": #stack default osx" + os: osx + + # Travis includes an macOS which is incompatible with GHC 7.8.4 + #- env: BUILD=stack ARGS="--resolver lts-2" + # compiler: ": #stack 7.8.4 osx" + # os: osx + + #- env: BUILD=stack ARGS="--resolver lts-3" + # compiler: ": #stack 7.10.2 osx" + # os: osx + + #- env: BUILD=stack ARGS="--resolver lts-6" + # compiler: ": #stack 7.10.3 osx" + # os: osx + + #- env: BUILD=stack ARGS="--resolver lts-7" + # compiler: ": #stack 8.0.1 osx" + # os: osx + + - env: BUILD=stack ARGS="--resolver lts-9" + compiler: ": #stack 8.0.2 osx" + os: osx + + - env: BUILD=stack ARGS="--resolver lts-11" + compiler: ": #stack 8.2.2 osx" + os: osx + + - env: BUILD=stack ARGS="--resolver nightly" + compiler: ": #stack nightly osx" + os: osx + + allow_failures: + - env: BUILD=cabal GHCVER=head CABALVER=head HAPPYVER=1.19.5 ALEXVER=3.1.7 + - env: BUILD=stack ARGS="--resolver nightly" + +before_install: +# Using compiler above sets CC to an invalid value, so unset it +- unset CC + +# We want to always allow newer versions of packages when building on GHC HEAD +- CABALARGS="" +- if [ "x$GHCVER" = "xhead" ]; then CABALARGS=--allow-newer; fi + +# Download and unpack the stack executable +- export PATH=/opt/ghc/$GHCVER/bin:/opt/cabal/$CABALVER/bin:$HOME/.local/bin:/opt/alex/$ALEXVER/bin:/opt/happy/$HAPPYVER/bin:$HOME/.cabal/bin:$PATH +- mkdir -p ~/.local/bin +- | + if [ `uname` = "Darwin" ] + then + travis_retry curl --insecure -L https://get.haskellstack.org/stable/osx-x86_64.tar.gz | tar xz --strip-components=1 --include '*/stack' -C ~/.local/bin + else + travis_retry curl -L https://get.haskellstack.org/stable/linux-x86_64.tar.gz | tar xz --wildcards --strip-components=1 -C ~/.local/bin '*/stack' + fi + + # Use the more reliable S3 mirror of Hackage + mkdir -p $HOME/.cabal + echo 'remote-repo: hackage.haskell.org:http://hackage.fpcomplete.com/' > $HOME/.cabal/config + echo 'remote-repo-cache: $HOME/.cabal/packages' >> $HOME/.cabal/config + + +install: +- echo "$(ghc --version) [$(ghc --print-project-git-commit-id 2> /dev/null || echo '?')]" +- if [ -f configure.ac ]; then autoreconf -i; fi +- | + set -ex + case "$BUILD" in + stack) + # Add in extra-deps for older snapshots, as necessary + # + # This is disabled by default, as relying on the solver like this can + # make builds unreliable. Instead, if you have this situation, it's + # recommended that you maintain multiple stack-lts-X.yaml files. + + #stack --no-terminal --install-ghc $ARGS test --bench --dry-run || ( \ + # stack --no-terminal $ARGS build cabal-install && \ + # stack --no-terminal $ARGS solver --update-config) + + # Build the dependencies + stack --no-terminal --install-ghc $ARGS test --bench --only-dependencies + ;; + cabal) + cabal --version + travis_retry cabal update + + # Get the list of packages from the stack.yaml file. Note that + # this will also implicitly run hpack as necessary to generate + # the .cabal files needed by cabal-install. + PACKAGES=$(stack --install-ghc query locals | grep '^ *path' | sed 's@^ *path:@@') + + cabal install --only-dependencies --enable-tests --enable-benchmarks --force-reinstalls --ghc-options=-O0 --reorder-goals --max-backjumps=-1 $CABALARGS $PACKAGES + ;; + esac + set +ex + +script: +- | + set -ex + case "$BUILD" in + stack) + stack --no-terminal $ARGS test --bench --no-run-benchmarks --haddock --no-haddock-deps + ;; + cabal) + cabal install --enable-tests --enable-benchmarks --force-reinstalls --ghc-options=-O0 --reorder-goals --max-backjumps=-1 $CABALARGS $PACKAGES + + ORIGDIR=$(pwd) + for dir in $PACKAGES + do + cd $dir + cabal check || [ "$CABALVER" == "1.16" ] + cabal sdist + PKGVER=$(cabal info . | awk '{print $2;exit}') + SRC_TGZ=$PKGVER.tar.gz + cd dist + tar zxfv "$SRC_TGZ" + cd "$PKGVER" + cabal configure --enable-tests --ghc-options -O0 + cabal build + if [ "$CABALVER" = "1.16" ] || [ "$CABALVER" = "1.18" ]; then + cabal test + else + cabal test --show-details=streaming --log=/dev/stdout + fi + cd $ORIGDIR + done + ;; + esac + set +ex diff --git a/appveyor.yml b/appveyor.yml new file mode 100644 index 0000000..945cded --- /dev/null +++ b/appveyor.yml @@ -0,0 +1,36 @@ +build: off + +before_test: +# http://help.appveyor.com/discussions/problems/6312-curl-command-not-found +- set PATH=C:\Program Files\Git\mingw64\bin;%PATH% + +- curl -sS -ostack.zip -L --insecure https://get.haskellstack.org/stable/windows-x86_64.zip +- 7z x stack.zip stack.exe + +clone_folder: "c:\\stack" +environment: + global: + STACK_ROOT: "c:\\sr" + + # Override the temp directory to avoid sed escaping issues + # See https://github.com/haskell/cabal/issues/5386 + TMP: "c:\\tmp" + + matrix: + - ARGS: "" + #- ARGS: "--resolver lts-2" + #- ARGS: "--resolver lts-3" + #- ARGS: "--resolver lts-6" + #- ARGS: "--resolver lts-7" + - ARGS: "--resolver lts-9" + - ARGS: "--resolver lts-11" + #- ARGS: "--resolver nightly" + +test_script: + +# Install toolchain, but do it silently due to lots of output +- stack %ARGS% setup > nul + +# The ugly echo "" hack is to avoid complaints about 0 being an invalid file +# descriptor +- echo "" | stack %ARGS% --no-terminal test diff --git a/package.yaml b/package.yaml index 2f29fe5..ca9542f 100644 --- a/package.yaml +++ b/package.yaml @@ -16,7 +16,7 @@ extra-source-files: - ChangeLog.md dependencies: -- base ==4.* +- base >= 4.9.1 && < 5 - containers - tagsoup >=0.12.2 && <1 - utf8-string >=0.3 && <1.1 From 2df057fb6599e5c60f04afe0dd06604412d0448b Mon Sep 17 00:00:00 2001 From: Michael Snoyman Date: Thu, 28 Jun 2018 19:04:03 +0300 Subject: [PATCH 6/6] Badges --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 68c170a..06ca2d5 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ # Summary +[![Build Status](https://travis-ci.org/yesodweb/haskell-xss-sanitize.svg?branch=master)](https://travis-ci.org/yesodweb/haskell-xss-sanitize) +[![Build status](https://ci.appveyor.com/api/projects/status/1i4xx9qi53r58tsh/branch/master?svg=true)](https://ci.appveyor.com/project/snoyberg/haskell-xss-sanitize/branch/master) + xss-sanitize allows you to accept html from untrusted sources by first filtering it through a white list. The white list filtering is fairly comprehensive, including support for css in style attributes, but there are limitations enumerated below.