add srcset, similar to src

2017-04-10 08:28:18 -07:00
2 changed files with 7 additions and 1 deletions
--- a/Text/HTML/SanitizeXSS.hs
+++ b/Text/HTML/SanitizeXSS.hs
@ -128,7 +128,7 @@ sanitaryAttributes = fromList (allowed_html_uri_attributes ++ acceptable_attribu
  \\ (fromList svg_attr_val_allows_ref) -- extra unescaping not implemented

 allowed_html_uri_attributes :: [Text]
-allowed_html_uri_attributes = ["href", "src", "cite", "action", "longdesc"]
+allowed_html_uri_attributes = ["href", "src", "srcset", "cite", "action", "longdesc"]

 uri_attributes :: Set Text
 uri_attributes = fromList $ allowed_html_uri_attributes ++ ["xlink:href", "xml:base"]
--- a/test/main.hs
+++ b/test/main.hs
@ -23,6 +23,12 @@ main = hspec $ do
      test sanitizeBalance testHTML " <a href=\"http://safe.com\">safe</a><a>anchor</a> <img />   <br /> <b>Unbalanced<div></div><img src=\"http://safe.com\"></b>"
      sanitized testHTML " <a href=\"http://safe.com\">safe</a><a>anchor</a> <img />   <br /> <b>Unbalanced</div><img src=\"http://safe.com\">"

+    it "srcset" $ do
+      let allowed = "<img srcset=\"safe.com\" />"
+      sanitized allowed allowed
+      let bad = "<img src='evil://evil.com' />"
+      sanitized bad "<img />"
+
    it "relativeURI" $ do
      let testRelativeURI = "<a href=\"foo\">bar</a>"
      sanitized testRelativeURI testRelativeURI