haskell/xss-sanitize
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge.

Browse Source
This commit is contained in:
Yitzchak Gale 2018-07-01 13:07:07 +03:00
commit c77292bf51
9 changed files with 321 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -3,3 +3,5 @@
dist dist
.cabal-sandbox/ .cabal-sandbox/
cabal.sandbox.config cabal.sandbox.config
.stack-work/
xss-sanitize.cabal

237
.travis.yml Normal file
View File

@ -0,0 +1,237 @@
# This is the complex Travis configuration, which is intended for use
# on open source libraries which need compatibility across multiple GHC
# versions, must work with cabal-install, and should be
# cross-platform. For more information and other options, see:
#
# https://docs.haskellstack.org/en/stable/travis_ci/
#
# Copy these contents into the root directory of your Github project in a file
# named .travis.yml
# Use new container infrastructure to enable caching
sudo: false
# Do not choose a language; we provide our own build tools.
language: generic
# Caching so the next build will be fast too.
cache:
directories:
- $HOME/.ghc
- $HOME/.cabal
- $HOME/.stack
- $TRAVIS_BUILD_DIR/.stack-work
# The different configurations we want to test. We have BUILD=cabal which uses
# cabal-install, and BUILD=stack which uses Stack. More documentation on each
# of those below.
#
# We set the compiler values here to tell Travis to use a different
# cache file per set of arguments.
#
# If you need to have different apt packages for each combination in the
# matrix, you can use a line such as:
# addons: {apt: {packages: [libfcgi-dev,libgmp-dev]}}
matrix:
include:
# We grab the appropriate GHC and cabal-install versions from hvr's PPA. See:
# https://github.com/hvr/multi-ghc-travis
#- env: BUILD=cabal GHCVER=7.0.4 CABALVER=1.16 HAPPYVER=1.19.5 ALEXVER=3.1.7
# compiler: ": #GHC 7.0.4"
# addons: {apt: {packages: [cabal-install-1.16,ghc-7.0.4,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}}
#- env: BUILD=cabal GHCVER=7.2.2 CABALVER=1.16 HAPPYVER=1.19.5 ALEXVER=3.1.7
# compiler: ": #GHC 7.2.2"
# addons: {apt: {packages: [cabal-install-1.16,ghc-7.2.2,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}}
#- env: BUILD=cabal GHCVER=7.4.2 CABALVER=1.16 HAPPYVER=1.19.5 ALEXVER=3.1.7
# compiler: ": #GHC 7.4.2"
# addons: {apt: {packages: [cabal-install-1.16,ghc-7.4.2,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}}
#- env: BUILD=cabal GHCVER=7.6.3 CABALVER=1.16 HAPPYVER=1.19.5 ALEXVER=3.1.7
# compiler: ": #GHC 7.6.3"
# addons: {apt: {packages: [cabal-install-1.16,ghc-7.6.3,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}}
#- env: BUILD=cabal GHCVER=7.8.4 CABALVER=1.18 HAPPYVER=1.19.5 ALEXVER=3.1.7
# compiler: ": #GHC 7.8.4"
# addons: {apt: {packages: [cabal-install-1.18,ghc-7.8.4,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}}
#- env: BUILD=cabal GHCVER=7.10.3 CABALVER=1.22 HAPPYVER=1.19.5 ALEXVER=3.1.7
# compiler: ": #GHC 7.10.3"
# addons: {apt: {packages: [cabal-install-1.22,ghc-7.10.3,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}}
- env: BUILD=cabal GHCVER=8.0.2 CABALVER=1.24 HAPPYVER=1.19.5 ALEXVER=3.1.7
compiler: ": #GHC 8.0.2"
addons: {apt: {packages: [cabal-install-1.24,ghc-8.0.2,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}}
- env: BUILD=cabal GHCVER=8.2.2 CABALVER=2.0 HAPPYVER=1.19.5 ALEXVER=3.1.7
compiler: ": #GHC 8.2.2"
addons: {apt: {packages: [cabal-install-2.0,ghc-8.2.2,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}}
- env: BUILD=cabal GHCVER=8.4.3 CABALVER=2.2 HAPPYVER=1.19.5 ALEXVER=3.1.7
compiler: ": #GHC 8.4.3"
addons: {apt: {packages: [cabal-install-2.2,ghc-8.4.3,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}}
# Build with the newest GHC and cabal-install. This is an accepted failure,
# see below.
- env: BUILD=cabal GHCVER=head CABALVER=head HAPPYVER=1.19.5 ALEXVER=3.1.7
compiler: ": #GHC HEAD"
addons: {apt: {packages: [cabal-install-head,ghc-head,happy-1.19.5,alex-3.1.7], sources: [hvr-ghc]}}
# The Stack builds. We can pass in arbitrary Stack arguments via the ARGS
# variable, such as using --stack-yaml to point to a different file.
- env: BUILD=stack ARGS=""
compiler: ": #stack default"
addons: {apt: {packages: [libgmp-dev]}}
#- env: BUILD=stack ARGS="--resolver lts-2"
# compiler: ": #stack 7.8.4"
# addons: {apt: {packages: [libgmp-dev]}}
#- env: BUILD=stack ARGS="--resolver lts-3"
# compiler: ": #stack 7.10.2"
# addons: {apt: {packages: [libgmp-dev]}}
#- env: BUILD=stack ARGS="--resolver lts-6"
# compiler: ": #stack 7.10.3"
# addons: {apt: {packages: [libgmp-dev]}}
#- env: BUILD=stack ARGS="--resolver lts-7"
# compiler: ": #stack 8.0.1"
# addons: {apt: {packages: [libgmp-dev]}}
- env: BUILD=stack ARGS="--resolver lts-9"
compiler: ": #stack 8.0.2"
addons: {apt: {packages: [libgmp-dev]}}
- env: BUILD=stack ARGS="--resolver lts-11"
compiler: ": #stack 8.2.2"
addons: {apt: {packages: [libgmp-dev]}}
# Nightly builds are allowed to fail
- env: BUILD=stack ARGS="--resolver nightly"
compiler: ": #stack nightly"
addons: {apt: {packages: [libgmp-dev]}}
# Build on macOS in addition to Linux
- env: BUILD=stack ARGS=""
compiler: ": #stack default osx"
os: osx
# Travis includes an macOS which is incompatible with GHC 7.8.4
#- env: BUILD=stack ARGS="--resolver lts-2"
# compiler: ": #stack 7.8.4 osx"
# os: osx
#- env: BUILD=stack ARGS="--resolver lts-3"
# compiler: ": #stack 7.10.2 osx"
# os: osx
#- env: BUILD=stack ARGS="--resolver lts-6"
# compiler: ": #stack 7.10.3 osx"
# os: osx
#- env: BUILD=stack ARGS="--resolver lts-7"
# compiler: ": #stack 8.0.1 osx"
# os: osx
- env: BUILD=stack ARGS="--resolver lts-9"
compiler: ": #stack 8.0.2 osx"
os: osx
- env: BUILD=stack ARGS="--resolver lts-11"
compiler: ": #stack 8.2.2 osx"
os: osx
- env: BUILD=stack ARGS="--resolver nightly"
compiler: ": #stack nightly osx"
os: osx
allow_failures:
- env: BUILD=cabal GHCVER=head CABALVER=head HAPPYVER=1.19.5 ALEXVER=3.1.7
- env: BUILD=stack ARGS="--resolver nightly"
before_install:
# Using compiler above sets CC to an invalid value, so unset it
- unset CC
# We want to always allow newer versions of packages when building on GHC HEAD
- CABALARGS=""
- if [ "x$GHCVER" = "xhead" ]; then CABALARGS=--allow-newer; fi
# Download and unpack the stack executable
- export PATH=/opt/ghc/$GHCVER/bin:/opt/cabal/$CABALVER/bin:$HOME/.local/bin:/opt/alex/$ALEXVER/bin:/opt/happy/$HAPPYVER/bin:$HOME/.cabal/bin:$PATH
- mkdir -p ~/.local/bin
- |
if [ `uname` = "Darwin" ]
then
travis_retry curl --insecure -L https://get.haskellstack.org/stable/osx-x86_64.tar.gz | tar xz --strip-components=1 --include '*/stack' -C ~/.local/bin
else
travis_retry curl -L https://get.haskellstack.org/stable/linux-x86_64.tar.gz | tar xz --wildcards --strip-components=1 -C ~/.local/bin '*/stack'
fi
# Use the more reliable S3 mirror of Hackage
mkdir -p $HOME/.cabal
echo 'remote-repo: hackage.haskell.org:http://hackage.fpcomplete.com/' > $HOME/.cabal/config
echo 'remote-repo-cache: $HOME/.cabal/packages' >> $HOME/.cabal/config
install:
- echo "$(ghc --version) [$(ghc --print-project-git-commit-id 2> /dev/null || echo '?')]"
- if [ -f configure.ac ]; then autoreconf -i; fi
- |
set -ex
case "$BUILD" in
stack)
# Add in extra-deps for older snapshots, as necessary
#
# This is disabled by default, as relying on the solver like this can
# make builds unreliable. Instead, if you have this situation, it's
# recommended that you maintain multiple stack-lts-X.yaml files.
#stack --no-terminal --install-ghc $ARGS test --bench --dry-run || ( \
# stack --no-terminal $ARGS build cabal-install && \
# stack --no-terminal $ARGS solver --update-config)
# Build the dependencies
stack --no-terminal --install-ghc $ARGS test --bench --only-dependencies
;;
cabal)
cabal --version
travis_retry cabal update
# Get the list of packages from the stack.yaml file. Note that
# this will also implicitly run hpack as necessary to generate
# the .cabal files needed by cabal-install.
PACKAGES=$(stack --install-ghc query locals | grep '^ *path' | sed 's@^ *path:@@')
cabal install --only-dependencies --enable-tests --enable-benchmarks --force-reinstalls --ghc-options=-O0 --reorder-goals --max-backjumps=-1 $CABALARGS $PACKAGES
;;
esac
set +ex
script:
- |
set -ex
case "$BUILD" in
stack)
stack --no-terminal $ARGS test --bench --no-run-benchmarks --haddock --no-haddock-deps
;;
cabal)
cabal install --enable-tests --enable-benchmarks --force-reinstalls --ghc-options=-O0 --reorder-goals --max-backjumps=-1 $CABALARGS $PACKAGES
ORIGDIR=$(pwd)
for dir in $PACKAGES
do
cd $dir
cabal check || [ "$CABALVER" == "1.16" ]
cabal sdist
PKGVER=$(cabal info . | awk '{print $2;exit}')
SRC_TGZ=$PKGVER.tar.gz
cd dist
tar zxfv "$SRC_TGZ"
cd "$PKGVER"
cabal configure --enable-tests --ghc-options -O0
cabal build
if [ "$CABALVER" = "1.16" ] || [ "$CABALVER" = "1.18" ]; then
cabal test
else
cabal test --show-details=streaming --log=/dev/stdout
fi
cd $ORIGDIR
done
;;
esac
set +ex

3
README.md
View File

@ -1,5 +1,8 @@
# Summary # Summary
[![Build Status](https://travis-ci.org/yesodweb/haskell-xss-sanitize.svg?branch=master)](https://travis-ci.org/yesodweb/haskell-xss-sanitize)
[![Build status](https://ci.appveyor.com/api/projects/status/1i4xx9qi53r58tsh/branch/master?svg=true)](https://ci.appveyor.com/project/snoyberg/haskell-xss-sanitize/branch/master)
xss-sanitize allows you to accept html from untrusted sources by first filtering it through a white list. xss-sanitize allows you to accept html from untrusted sources by first filtering it through a white list.
The white list filtering is fairly comprehensive, including support for css in style attributes, but there are limitations enumerated below. The white list filtering is fairly comprehensive, including support for css in style attributes, but there are limitations enumerated below.

36
appveyor.yml Normal file
View File

@ -0,0 +1,36 @@
build: off
before_test:
# http://help.appveyor.com/discussions/problems/6312-curl-command-not-found
- set PATH=C:\Program Files\Git\mingw64\bin;%PATH%
- curl -sS -ostack.zip -L --insecure https://get.haskellstack.org/stable/windows-x86_64.zip
- 7z x stack.zip stack.exe
clone_folder: "c:\\stack"
environment:
global:
STACK_ROOT: "c:\\sr"
# Override the temp directory to avoid sed escaping issues
# See https://github.com/haskell/cabal/issues/5386
TMP: "c:\\tmp"
matrix:
- ARGS: ""
#- ARGS: "--resolver lts-2"
#- ARGS: "--resolver lts-3"
#- ARGS: "--resolver lts-6"
#- ARGS: "--resolver lts-7"
- ARGS: "--resolver lts-9"
- ARGS: "--resolver lts-11"
#- ARGS: "--resolver nightly"
test_script:
# Install toolchain, but do it silently due to lots of output
- stack %ARGS% setup > nul
# The ugly echo "" hack is to avoid complaints about 0 being an invalid file
# descriptor
- echo "" | stack %ARGS% --no-terminal test

42
package.yaml Normal file
View File

@ -0,0 +1,42 @@
name: xss-sanitize
version: 0.3.5.8
synopsis: sanitize untrusted HTML to prevent XSS attacks
description: run untrusted HTML through Text.HTML.SanitizeXSS.sanitizeXSS to prevent
XSS attacks. see README.md <http://github.com/yesodweb/haskell-xss-sanitize> for
more details
category: Web
author: Greg Weber <greg@gregweber.info>
maintainer: Michael Snoyman <michael@snoyman.com>
license: BSD2
github: yesodweb/haskell-xss-sanitize
stability: Stable
extra-source-files:
- README.md
- ChangeLog.md
dependencies:
- base >= 4.9.1 && < 5
- containers
- tagsoup >=0.12.2 && <1
- utf8-string >=0.3 && <1.1
- css-text >=0.1.1 && <0.2
- text >=0.11 && <2
- attoparsec >=0.10.0.3 && <1
- network-uri >=2.6
library:
source-dirs: src
exposed-modules:
- Text.HTML.SanitizeXSS
tests:
test:
main: main.hs
source-dirs:
- test
- src
cpp-options: -DTEST
dependencies:
- hspec >=1.3
- HUnit >=1.2

0
Text/HTML/SanitizeXSS.hs → src/Text/HTML/SanitizeXSS.hs
View File

0
Text/HTML/SanitizeXSS/Css.hs → src/Text/HTML/SanitizeXSS/Css.hs
View File

1
stack.yaml Normal file
View File

@ -0,0 +1 @@
resolver: lts-11.10

59
xss-sanitize.cabal
View File

@ -1,59 +0,0 @@
name: xss-sanitize
version: 0.3.5.8
license: BSD2
license-file: LICENSE
author: Greg Weber <greg@gregweber.info>
maintainer: Greg Weber <greg@gregweber.info>
synopsis: sanitize untrusted HTML to prevent XSS attacks
description: run untrusted HTML through Text.HTML.SanitizeXSS.sanitizeXSS to prevent XSS attacks. see README.md <http://github.com/yesodweb/haskell-xss-sanitize> for more details
category: Web
stability: Stable
cabal-version: >= 1.8
build-type: Simple
homepage: http://github.com/yesodweb/haskell-xss-sanitize
extra-source-files: README.md
flag network-uri
description: Get Network.URI from the network-uri package
default: True
library
build-depends: base == 4.*, containers
, tagsoup >= 0.12.2 && < 1
, utf8-string >= 0.3 && < 1.1
, css-text >= 0.1.1 && < 0.2
, text >= 0.11 && < 2
, attoparsec >= 0.10.0.3 && < 1
if flag(network-uri)
build-depends: network-uri >= 2.6
else
build-depends: network < 2.6
exposed-modules: Text.HTML.SanitizeXSS
other-modules: Text.HTML.SanitizeXSS.Css
ghc-options: -Wall
test-suite test
type: exitcode-stdio-1.0
main-is: test/main.hs
cpp-options: -DTEST
build-depends: base == 4.* , containers
, tagsoup >= 0.12.2 && < 1
, utf8-string >= 0.3 && < 1.1
, css-text >= 0.1.1 && < 0.2
, text >= 0.11 && < 2
, attoparsec >= 0.10.0.3 && < 1
, hspec >= 1.3
, HUnit >= 1.2
if flag(network-uri)
build-depends: network-uri >= 2.6
else
build-depends: network < 2.6
source-repository head
type: git
location: http://github.com/yesodweb/haskell-xss-sanitize.git