so we don't have to account for it below.
my $user = $attr->{user} =
exists $attr->{name} ? $attr->{name}
: exists $attr->{user} ? $attr->{user}
: exists $attr->{comm} ? $attr->{comm}
: undef;
$newdata .= user_link_html( $user, $attr->{site}, $usertag_opts );
}
elsif ( $tag eq "lj-raw" && !$nodwtags ) {
# Strip it out, but still register it as being open
$opencount{$tag}++;
}
# Don't allow any tag with the "set" attribute
elsif ( $tag =~ m/:set$/ ) {
next;
}
else {
my $alt_output = 0;
my $hash = $token->[2];
my $attrs = $token->[3]; # attribute names, in original order
$slashclose = 1 if delete $hash->{'/'};
foreach (@attrstrip) {
# maybe there's a better place for this?
next if ( lc $tag eq 'lj-embed' && lc $_ eq 'id' );
delete $hash->{$_};
}
if ( $tag eq "form" ) {
my $action = lc( $hash->{'action'} );
my $deny = 0;
if ( $action =~ m!^https?://?([^/]+)! ) {
my $host = $1;
$deny = 1
if $host =~ /[%\@\s]/
|| $LJ::FORM_DOMAIN_BANNED{$host};
}
else {
$deny = 1;
}
delete $hash->{'action'} if $deny;
}
ATTR:
foreach my $attr ( keys %$hash ) {
if ( $attr =~ /^(?:on|dynsrc)/ ) {
delete $hash->{$attr};
next;
}
if ( $attr eq "data" ) {
delete $hash->{$attr};
# type specifies the content type for the data specified by "data"
# without the data, this has no useful effect
# but may cause the object tag not to use the fallback values in Firefox
delete $hash->{"type"};
next;
}
if ( $attr =~ /(?:^=)|[\x0b\x0d]/ ) {
# Cleaner attack: ' onmouseover="javascript:alert(document/**/.cookie)" >
# is returned by HTML::Parser as P_tag("='" => "='") Text( onmouseover...)
# which leads to reconstruction of valid HTML. Clever!
# detect this, and fail.
$total_fail->( $cut, "$tag $attr" );
last TOKEN;
}
# ignore attributes that do not fit this strict scheme
unless ( $attr =~ /^[\w_:-]+$/ ) {
$total_fail->(
$cut, "$tag " . ( scalar keys %$hash > 1 ? "[...] " : "" ) . "$attr"
);
last TOKEN;
}
$hash->{$attr} =~ s/[\t\n]//g;
# IE ignores the null character, so strip it out
$hash->{$attr} =~ s/\x0//g;
# IE sucks:
my $nowhite = $hash->{$attr};
$nowhite =~ s/[\s\x0b]+//g;
if ( $nowhite =~ /(?:jscript|livescript|javascript|vbscript|^about|data):/ix ) {
delete $hash->{$attr};
next;
}
if ( $attr eq 'style' ) {
if ( $opts->{'cleancss'} ) {
# css2 spec, section 4.1.3
# position === p\osition :(
# strip all slashes no matter what.
$hash->{style} =~ s/\\//g;
# and catch the obvious ones ("[" is for things like document["coo"+"kie"]
foreach my $css ( "/*", "[",
qw(absolute fixed expression eval behavior cookie document window javascript -moz-binding)
)
{
if ( $hash->{style} =~ /\Q$css\E/i ) {
delete $hash->{style};
next ATTR;
}
}
if ( $opts->{'strongcleancss'} ) {
if ( $hash->{style} =~
/-moz-|absolute|relative|outline|z-index|(?{style};
next ATTR;
}
}
# remove specific CSS definitions
if ($remove_colors) {
$hash->{style} =~ s/(?:background-)?color:.*?(?:;|$)//gi;
}
if ($remove_sizes) {
$hash->{style} =~ s/font-size:.*?(?:;|$)//gi;
}
elsif ($remove_abs_sizes) {
$hash->{style} =~ s/font-size:\s*?\d+.*?(?:;|$)//gi;
}
if ($remove_fonts) {
$hash->{style} =~ s/font-family:.*?(?:;|$)//gi;
}
if ($remove_positioning) {
$hash->{style} =~ s/margin.*?(?:;|$)//gi;
$hash->{style} =~ s/height\s*?:.*?(?:;|$)//gi;
$hash->{style} =~ s/display\s*?:\s*?none\s*?(?:;|$)//gi;
my $too_large = 0;
PADDING:
while ( $hash->{style} =~ /padding.*?:\s*?(.*?)(?:;|$)/gi ) {
my $padding_value = $1;
foreach ( split /\s+/, $padding_value ) {
next unless $_;
if ( ( int($_) || 0 ) > 500 ) {
$too_large = 1;
last PADDING;
}
}
}
$hash->{style} =~ s/padding.*?(?:;|$)//gi
if $too_large;
}
if ($extractlinks) {
$hash->{style} =~ s/url\(.*?\)//gi;
}
}
if ( $opts->{'clean_js_css'} && LJ::is_enabled('css_cleaner') ) {
# and then run it through a harder CSS cleaner that does a full parse
my $css = LJ::CSS::Cleaner->new;
$hash->{style} = $css->clean_property( $hash->{style} );
}
}
if ( ( $attr eq 'class' || $attr eq 'id' ) && $opts->{'strongcleancss'} ) {
delete $hash->{$attr};
next;
}
# reserve ljs_* ids for divs, etc so users can't override them to replace content
if ( $attr eq 'id' && $hash->{$attr} =~ /^ljs_/i ) {
delete $hash->{$attr};
next;
}
# remove specific attributes
my %remove_attrs = (
color => $remove_colors,
bgcolor => $remove_colors,
fgcolor => $remove_colors,
text => $remove_colors,
size => $remove_sizes,
face => $remove_fonts,
);
if ( $remove_attrs{$attr} ) {
delete $hash->{$attr};
next ATTR;
}
}
if ( exists $hash->{href} ) {
## links to some resources will be completely blocked
## and replaced by value of 'blocked_link_substitute' param
if ($blocked_links) {
foreach my $re (@$blocked_links) {
if ( $hash->{href} =~ $re ) {
$hash->{href} =
sprintf( $blocked_link_substitute, LJ::eurl( $hash->{href} ) );
last;
}
}
}
unless ( $hash->{href} =~ s/^(?:lj|site):(?:\/\/)?(.*)$/ExpandLJURL($1)/ei ) {
$hash->{href} = canonical_url( $hash->{href}, 1 );
}
}
if ( $tag eq "img" ) {
my $img_bad = 0;
if ( defined $opts->{'maximgwidth'}
&& $hash->{width} > $opts->{maximgwidth} )
{
$img_bad = 1;
}
if ( defined $opts->{'maximgheight'}
&& $hash->{height} > $opts->{maximgheight} )
{
$img_bad = 1;
}
if ( !defined $hash->{width}
|| !defined $hash->{height} )
{
$img_bad ||= $opts->{imageplaceundef};
}
if ( $opts->{'extractimages'} ) { $img_bad = 1; }
my $sanitize_url = sub {
my $url = canonical_url( $_[0], 1 );
return $url if $to_external_site;
return https_url( $url, journal => $journal, ditemid => $ditemid );
};
$hash->{src} = $sanitize_url->( $hash->{src} );
# some responsive images use srcset as well as src;
# both attributes should be proxied for https if requested
if ( defined $hash->{srcset} ) {
$hash->{srcset} =~ s!\b(http://\S+)!$sanitize_url->( $1 )!egi;
}
if ($img_bad) {
$newdata .=
"{'src'} ) . "\">"
. LJ::img('placeholder') . '';
$alt_output = 1;
$opencount{"img"}++;
}
}
if ( $tag eq "a" && $extractlinks ) {
push @canonical_urls, canonical_url( $token->[2]->{href}, 1 );
$newdata .= "";
next;
}
# Through the xsl namespace in XML, it is possible to embed scripting lanaguages
# as elements which will then be executed by the browser. Combining this with
# customview.cgi makes it very easy for someone to replace their entire journal
# in S1 with a page that embeds scripting as well. An example being an AJAX
# six degrees tool, while cool it should not be allowed.
#
# FIXME Dreamwidth does not support S1 and customview has been removed.
#
# Example syntax:
#
# text/javascript
if ( $tag eq 'xsl:attribute' ) {
$alt_output = 1; # We'll always deal with output for this token
my $orig_value = $p->get_text; # Get the value of this element
my $value = $orig_value; # Make a copy if this turns out to be alright
$value =~ s/\s+//g; # Remove any whitespace
# See if they are trying to output scripting, if so eat the xsl:attribute
# container and its value
if ( $value =~ /(javascript|vbscript)/i ) {
# Remove the closing tag from the tree
$p->get_token;
# Remove the value itself from the tree
$p->get_text;
# No harm, no foul...Write back out the original
}
else {
$newdata .= "$token->[4]$orig_value";
}
}
unless ($alt_output) {
my $allow;
if ( $mode eq "allow" ) {
$allow = 1;
if ( defined $action{$tag} and $action{$tag} eq "deny" ) { $allow = 0; }
if ( defined $action{$tag} and $action{$tag} eq "conditional" ) {
$allow = $force_allow;
}
}
else {
$allow = 0;
if ( defined $action{$tag} and $action{$tag} eq "allow" ) { $allow = 1; }
}
if ( $allow && !$remove{$tag} ) {
$allow = 0 if
# can't open table elements from outside a table
( $tag =~ /^(?:tbody|thead|tfoot|tr|td|th|caption|colgroup|col)$/
&& !@tablescope )
||
# can't open td or th if not inside tr
( $tag =~ /^(?:td|th)$/ && !$tablescope[-1]->{'tr'} ) ||
# can't open a table unless inside a td or th
( $tag eq 'table' && @tablescope && !grep { $tablescope[-1]->{$_} }
qw(td th) );
if ($allow) { $newdata .= "<$tag"; }
else { $newdata .= "<$tag"; }
# output attributes in original order, but only those
# that are allowed (by still being in %$hash after cleaning)
foreach (@$attrs) {
unless ( LJ::is_ascii( $hash->{$_} ) ) {
# FIXME: this isn't nice. make faster. make generic.
# HTML::Parser decodes entities for us (which is good)
# but in Perl 5.8 also includes the "poison" SvUTF8
# flag on the scalar it returns, thus poisoning the
# rest of the content this scalar is appended with.
# we need to remove that poison at this point. *sigh*
$hash->{$_} = LJ::no_utf8_flag( $hash->{$_} );
}
$newdata .= " $_=\"" . LJ::ehtml( $hash->{$_} ) . "\""
if exists $hash->{$_};
}
if ($slashclose) {
if ( $tag =~ $slashclose_tags ) {
# ignore the effects of slashclose unless we're dealing with a tag that can
# actually close itself. Otherwise, a tag like can pass through as valid
# even though some browsers just render it as an opening tag
$newdata .= " /";
$opencount{$tag}--;
$tablescope[-1]->{$tag}-- if @tablescope;
}
else {
# we didn't actually slash close, treat this as a normal opening tag
$slashclose = 0;
}
}
if ($allow) {
$newdata .= ">";
$opencount{$tag}++;
# open table
if ( $tag eq 'table' ) {
push @tablescope, {};
# new tag within current table
}
elsif (@tablescope) {
$tablescope[-1]->{$tag}++;
}
# we have all this previous logic which makes us
# not automatically close tags inside tables
# so rather than mess with it, let's just ignore those
# and only deal with non-self-closing tags
# which are not in a table
# (but we still want to close ; that's not yet inside the table)
push @tagstack, $tag
if !$slashclose && ( $tag eq "table" || !@tablescope );
}
else { $newdata .= ">"; }
}
}
}
}
# end tag
elsif ( $type eq "E" ) {
my $tag = $update_tag->( $token->[1] );
next TOKEN if $tag =~ /[^\w\-:]/;
if (@eatuntil) {
push @capture, $token if $capturing_during_eat;
if ( $eatuntil[-1] eq $tag ) {
pop @eatuntil;
if ( my $cb = $capturing_during_eat ) {
$cb->();
$finish_capture->();
}
next TOKEN;
}
next TOKEN if @eatuntil;
}
# if we're just getting the contents of a cut tag, then pop the
# tag off the stack. if this is the last tag on the stack, then
# go back to eating the rest of the content.
if (@cuttag_stack) {
if ( $cuttag_stack[-1] eq $tag ) {
pop @cuttag_stack;
last TOKEN unless (@cuttag_stack);
}
}
if ($eatall) {
next TOKEN;
}
if ($eating_ljuser_span) {
if ( $tag eq "span" ) {
$eating_ljuser_span = 0;
$newdata .= user_link_html( $ljuser_text_node, undef, $usertag_opts );
}
next TOKEN;
}
# Hack: For Twitter, which uses blockquotes to embed tweets, re-enable
# user conversion once we've exited a blockquote.
if ( $disable_user_conversion && $tag eq 'blockquote' ) {
$disable_user_conversion = 0;
}
my $allow;
if ( $tag eq "lj-raw" && !$nodwtags ) {
$opencount{$tag}--;
$tablescope[-1]->{$tag}-- if @tablescope;
}
elsif ( $tag eq "lj-cut" && !$nodwtags ) {
# Since this is an end-tag, we can't know if it's the closing
# div for a faked tag, which means that
# community moderators can't see
at the end of one
# of those tags; if this was a problem, then the 'S' branch of
# this function would need to record the ljcut_div flag in a
# state variable which is stashed across tokens.
if ( $opts->{preserve_lj_tags_for} && $opencount{'lj-cut'} ) {
$opencount{'lj-cut'}--;
$newdata .= "";
}
elsif ( $opts->{'cutpreview'} ) {
$newdata .= "
</cut>";
}
}
else {
if ( $mode eq "allow" ) {
$allow = 1;
if ( defined $action{$tag}
and ( $action{$tag} eq "deny" || $action{$tag} eq "conditional" ) )
{
$allow = 0;
}
}
else {
$allow = 0;
if ( defined $action{$tag} and $action{$tag} eq "allow" ) { $allow = 1; }
}
if ( $extractlinks && $tag eq "a" ) {
if (@canonical_urls) {
my $url = LJ::ehtml( pop @canonical_urls );
$newdata .= " ($url)";
next;
}
}
if ( $allow && !$remove{$tag} ) {
$allow = 0 if
# can't close table elements from outside a table
( $tag =~ /^(?:table|tbody|thead|tfoot|tr|td|th|caption|colgroup|col)$/
&& !@tablescope )
||
# can't close td or th unless open tr
( $tag =~ /^(?:td|th)$/ && !$tablescope[-1]->{'tr'} );
if ( $allow && !( $opts->{'noearlyclose'} && !$opencount{$tag} ) ) {
unless (@tablescope) {
my $close;
while ( ( $close = pop @tagstack ) && $close ne $tag ) {
$opencount{$close}--;
next if $close =~ $slashclose_tags;
$newdata .= "";
push @unclosed_tags, "$close"
unless $close eq 'p' || $close eq 'li';
}
}
# open table
if ( $tag eq 'table' ) {
pop @tablescope;
pop @tagstack if $tagstack[-1] eq 'table';
# closing tag within current table
}
elsif (@tablescope) {
# If this tag was not opened inside this table, then
# do not close it! (This let's the auto-closer clean
# up later.)
next TOKEN unless $tablescope[-1]->{$tag};
$tablescope[-1]->{$tag}--;
}
if ( $opencount{$tag} ) {
$newdata .= "";
$opencount{$tag}--;
}
}
elsif ( !$allow || $form_tag->{$tag} && !$opencount{form} ) {
# tag wasn't allowed, or we have an out of scope form tag? display it then
$newdata .= "</$tag>";
}
else {
# This is a closing tag for something that isn't open. We ignore these
# and do nothing with them.
}
}
if ( defined $action{$tag}
and $action{$tag} eq "conditional" && $tagstack[-1] eq $tag )
{
$newdata .= "";
pop @tagstack;
$opencount{$tag}--;
}
}
}
elsif ( $type eq "D" ) {
# remove everything past first closing tag
$token->[1] =~ s/>.+/>/s;
# kill any opening tag except the starting one
$token->[1] =~ s/.[1];
}
elsif ( $type eq "T" ) {
my %url = ();
my $urlcount = 0;
if (@eatuntil) {
push @capture, $token if $capturing_during_eat;
next TOKEN;
}
if ($eatall) {
next TOKEN;
}
if ($eating_ljuser_span) {
$ljuser_text_node = $token->[1];
next TOKEN;
}
# auto_format means: the dialect is "html with auto linebreaks," AND
# we're not currently in a context that needs to remain raw.
my $auto_format =
$formatting eq 'html'
&& $addbreaks
&& ( ( $opencount{table} || 0 ) <= ( $opencount{td} + $opencount{th} ) )
&& !$opencount{'pre'}
&& !$opencount{'textarea'}
&& !$opencount{'lj-raw'};
# Stash any URLs that should be auto-linked, and insert temporary
# placeholders that can survive the next few escaping steps. We'll
# restore the URLs later as links.
if ( $auto_format && $auto_links && !$opencount{'a'} ) {
my $match = sub {
my $str = shift;
if ( $str =~ /^(.*?)(&(#39|quot|lt|gt)(;.*)?)$/ ) {
$url{ ++$urlcount } = $1;
return "&url$urlcount;$1&urlend;$2";
}
else {
$url{ ++$urlcount } = $str;
return "&url$urlcount;$str&urlend;";
}
};
$token->[1] =~ s!(https?://[^\s\'\"\<\>]+[a-zA-Z0-9_/&=\-])! $match->( $1 ); !ge;
}
# escape tags in text tokens. shouldn't belong here!
# especially because the parser returns things it's
# confused about (broken, ill-formed HTML) as text.
$token->[1] =~ s/[1] =~ s/>/>/g;
# auto-format some stuff!
if ($auto_format) {
# Add linebreaks
$token->[1] =~ s/\r?\n/
/g;
if ( !$opencount{'a'} ) {
# Restore any auto-linked URLs as real HTML links
$token->[1] =~ s/&url(\d+);(.*?)&urlend;/
$2<\/a>/g;
}
}
# convert user mentions, if we're in an appropriate context
if ($at_mentions) {
# Don't mangle code spans, code blocks, things that act like
# code blocks, or things we KNOW have foreign @mentions in em.
if ( !$disable_user_conversion
&& !$opencount{'code'}
&& !$opencount{'pre'}
&& !$opencount{'textarea'}
&& !$opencount{'lj-raw'} )
{
convert_user_mentions( \$token->[1], $usertag_opts );
}
}
$newdata .= $token->[1];
}
elsif ( $type eq "C" ) {
# probably a malformed tag rather than a comment, so escape it
# -- ehtml things like "<3", "<--->", "<>", etc
# -- comments must start with [1] =~ /^<[^!]/ ) {
$newdata .= LJ::ehtml( $token->[1] );
# by default, ditch comments
}
elsif ($keepcomments) {
my $com = $token->[1];
$com =~ s/^$//;
$com =~ s///;
$newdata .= "";
}
}
elsif ( $type eq "PI" ) {
my $tok = $token->[1];
$tok =~ s//>/g;
$newdata .= "";
}
else {
$newdata .= "\n";
}
} # end while
# finish up open links if we're extracting them
if ( $extractlinks && @canonical_urls ) {
foreach my $url (@canonical_urls) {
$newdata .= " (" . LJ::ehtml($url) . ")";
$opencount{'a'}--;
}
}
# if we have a textarea open, we *MUST* close it first
if ( $opencount{textarea} ) {
$newdata .= "";
push @unclosed_tags, "textarea";
}
$opencount{textarea} = 0;
# close any tags that were opened and not closed
# don't close tags that don't need a closing tag -- otherwise,
# we output the closing tags in the wrong place (eg, a
# after the was closed) causing unnecessary problems
foreach my $tag ( reverse @tagstack ) {
next if $tag =~ $slashclose_tags;
if ( $opencount{$tag} ) {
$newdata .= "";
$opencount{$tag}--;
push @unclosed_tags, $tag unless $tag eq 'p' || $tag eq 'li';
}
}
# If crossposting, explicitly close cuts to keep the crosspost footer visible.
if ( $preserve_lj_tags_for && $opencount{'lj-cut'} ) {
while ( $opencount{'lj-cut'} > 0 ) {
$newdata .= "";
$opencount{'lj-cut'}--;
}
}
# extra-paranoid check
1 while $newdata =~ s/};
$msg .= LJ::Lang::ml('cleanhtml.suspend_msg');
$msg .= "";
$$data = $msg . $$data;
}
# only add verbose errors for unclosed tags if we don't have another verbose error set
# otherwise, the tags error will overwrite more important errors like irreparable markup
if ( $verbose_err && ref($verbose_err) eq 'SCALAR' && scalar(@unclosed_tags) > 0 ) {
my $tag_str = "<" . join( ">, <", @unclosed_tags ) . ">";
$$verbose_err = { error => ".error.markup.unclosed", opts => { tags => $tag_str } };
}
return 0;
}
# takes a reference to HTML and a base URL, and modifies HTML in place to use absolute URLs from the given base
sub resolve_relative_urls {
my ( $data, $base ) = @_;
my $p = HTML::TokeParser->new($data);
# where we look for relative URLs
my $rel_source = {
'a' => {
'href' => 1,
},
'img' => {
'src' => 1,
},
};
my $global_did_mod = 0;
my $base_uri = undef; # until needed
my $newdata = "";
TOKEN:
while ( my $token = $p->get_token ) {
my $type = $token->[0];
if ( $type eq "S" ) # start tag
{
my $tag = $token->[1];
my $hash = $token->[2]; # attribute hashref
my $attrs = $token->[3]; # attribute names, in original order
my $did_mod = 0;
# see if this is a tag that could contain relative URLs we fix up.
if ( my $relats = $rel_source->{$tag} ) {
while ( my $k = each %$relats ) {
next unless defined $hash->{$k} && $hash->{$k} !~ /^[a-z]+:/;
my $rel_url = $hash->{$k};
$global_did_mod = $did_mod = 1;
$base_uri ||= URI->new($base);
$hash->{$k} = URI->new_abs( $rel_url, $base_uri )->as_string;
}
}
# if no change was necessary
unless ($did_mod) {
$newdata .= $token->[4];
next TOKEN;
}
# otherwise, rebuild the opening tag
# for tags like , pretend it's and reinsert the slash later
my $slashclose = 0; # If set to 1, use XML-style empty tag marker
$slashclose = 1 if $tag =~ s!/$!!;
$slashclose = 1 if delete $hash->{'/'};
# spit it back out
$newdata .= "<$tag";
# output attributes in original order
foreach (@$attrs) {
$newdata .= " $_=\"" . LJ::ehtml( $hash->{$_} ) . "\""
if exists $hash->{$_};
}
$newdata .= " /" if $slashclose;
$newdata .= ">";
}
elsif ( $type eq "E" ) {
$newdata .= $token->[2];
}
elsif ( $type eq "D" ) {
$newdata .= $token->[1];
}
elsif ( $type eq "T" ) {
$newdata .= $token->[1];
}
elsif ( $type eq "C" ) {
$newdata .= $token->[1];
}
elsif ( $type eq "PI" ) {
$newdata .= $token->[2];
}
} # end while
$$data = $newdata if $global_did_mod;
return undef;
}
sub ExpandLJURL {
my @args = grep { $_ } split( /\//, $_[0] );
my $mode = shift @args;
my %modes = (
'faq' => sub {
my $id = shift() + 0;
if ($id) {
return "support/faqbrowse?faqid=$id";
}
else {
return "support/faq";
}
},
'memories' => sub {
my $user = LJ::canonical_username(shift);
if ($user) {
return "memories?user=$user";
}
else {
return "memories";
}
},
'support' => sub {
my $id = shift() + 0;
if ($id) {
return "support/see_request?id=$id";
}
else {
return "support/";
}
},
'user' => sub {
my $user = LJ::canonical_username(shift);
return "" if grep { /[\"\'\<\>\n\&]/ } @_;
return $_[0] eq 'profile'
? "profile?user=$user"
: "users/$user/" . join( "", map { "$_/" } @_ );
},
'userinfo' => sub {
my $user = LJ::canonical_username(shift);
if ($user) {
return "profile?user=$user";
}
else {
return "profile";
}
},
'userpics' => sub {
my $user = LJ::canonical_username(shift);
if ($user) {
return "allpics?user=$user";
}
else {
return "allpics";
}
},
);
my $uri = $modes{$mode} ? $modes{$mode}->(@args) : "error:bogus-lj-url";
return "$LJ::SITEROOT/$uri";
}
my $subject_eat = [qw[ head title style layer iframe applet object xml param base ]];
my $subject_allow = [qw[a b i u em strong cite]];
my $subject_remove = [qw[bgsound embed object caption link font noscript]];
sub clean_subject {
my $ref = shift;
return unless defined $$ref and $$ref =~ /[\<\>]/;
clean(
$ref,
{
addbreaks => 0,
eat => $subject_eat,
mode => 'deny',
allow => $subject_allow,
remove => $subject_remove,
noearlyclose => 1,
# This is wrong in some cases, but clean_subject is used by many
# different paths that don't tell us where the content came from.
# Let's assume the most conservative for now.
formatting => 'html',
at_mentions => 0,
}
);
}
## returns a pure text subject (needed in links, email headers, etc...)
my $subjectall_eat = $subject_eat;
sub clean_subject_all {
my $ref = shift;
return unless $$ref =~ /[\<\>]/;
clean(
$ref,
{
addbreaks => 0,
eat => $subjectall_eat,
mode => 'deny',
textonly => 1,
noearlyclose => 1,
# This is wrong in some cases, but clean_subject is used by many
# different paths that don't tell us where the content came from.
# Let's assume the most conservative for now.
formatting => 'html',
at_mentions => 0,
}
);
}
# wrapper around clean_subject_all; this also trims the subject to the given length
sub clean_and_trim_subject {
my ( $ref, $length, $truncated ) = @_;
$length ||= 40;
LJ::CleanHTML::clean_subject_all($ref);
$$ref =~ s/\n.*//s;
$$ref = LJ::text_trim( $$ref, 0, $length, $truncated );
}
my @comment_eat = qw( head title style layer iframe applet object );
my @comment_anon_eat = (
@comment_eat, qw(
table tbody thead tfoot tr td th caption colgroup col font
)
);
my @comment_all = qw(
table tr td th tbody tfoot thead colgroup caption col
a sub sup xmp bdo q span
b i u tt s strike big small font
abbr acronym cite code dfn em kbd samp strong var del ins
h1 h2 h3 h4 h5 h6 div blockquote address pre center
ul ol li dl dt dd
area map form textarea
img br hr p col
summary details
);
my $event_eat = $subject_eat;
my $event_remove = [qw[ bgsound embed object link body meta noscript plaintext noframes ]];
my $userbio_eat = $event_eat;
my $userbio_remove = $event_remove;
# An "event" is the body text of a journal entry. But this also gets called for
# several unrelated things that LOOK a lot like journal entries, like FAQ items
# and support requests.
sub clean_event {
my ( $ref, $opts ) = @_;
return unless $$ref; # nothing to do
# old prototype was passing in the ref and preformatted flag.
# now the second argument is a hashref of options, so convert it to support the old way.
unless ( ref $opts eq "HASH" ) {
$opts = { 'preformatted' => $opts };
}
# Formatting is specified with the `editor` prop, if present...
my $formatting = $opts->{editor};
# ...and if not, here's how we guess.
if ( !$formatting ) {
if ( legacy_markdown($ref) ) {
# Old-style Markdown: remove the special !markdown prefix,
# and switch to Markdown formatting.
$formatting = 'markdown0';
}
elsif ( $opts->{is_syndicated} ) {
# MOST of the time, synsuck sets opt_preformatted, in which case
# this is plain old HTML that doesn't know anything about our
# special DW/LJ tags.
if ( $opts->{preformatted} ) {
$formatting = 'html_extra_raw';
}
else {
# BUT, if a feed post contains zero HTML tags, synsuck doesn't
# set preformatted. Those posts can use a "wrong" format that at
# least handles line breaks legibly.
$formatting = 'html_casual0';
}
}
elsif ( $opts->{preformatted} ) {
$formatting = 'html_raw0';
}
elsif ( $opts->{is_imported} ) {
# LJ et al don't have @mentions
$formatting = 'html_casual0';
}
elsif ( $opts->{logtime_mysql} && $opts->{logtime_mysql} lt '2019-05' ) {
# Before @mentions were rolled out
$formatting = 'html_casual0';
}
else {
$formatting = 'html_casual1';
}
}
my %formatting_args = formatting_args($formatting);
clean(
$ref,
{
%formatting_args,
cuturl => $opts->{cuturl},
cutpreview => $opts->{cutpreview},
eat => $event_eat,
mode => 'allow',
remove => $event_remove,
cleancss => 1,
maximgwidth => $opts->{maximgwidth},
maximgheight => $opts->{maximgheight},
imageplaceundef => $opts->{imageplaceundef},
ljcut_disable => $opts->{ljcut_disable},
noearlyclose => 1,
extractimages => $opts->{extractimages} ? 1 : 0,
noexpandembedded => $opts->{noexpandembedded} ? 1 : 0,
textonly => $opts->{textonly} ? 1 : 0,
remove_colors => $opts->{remove_colors} ? 1 : 0,
remove_sizes => $opts->{remove_sizes} ? 1 : 0,
remove_fonts => $opts->{remove_fonts} ? 1 : 0,
transform_embed_nocheck => $opts->{transform_embed_nocheck} ? 1 : 0,
transform_embed_wmode => $opts->{transform_embed_wmode},
rewrite_embed_param => $opts->{rewrite_embed_param} ? 1 : 0,
suspend_msg => $opts->{suspend_msg} ? 1 : 0,
to_external_site => $opts->{to_external_site} ? 1 : 0,
preserve_lj_tags_for => $opts->{preserve_lj_tags_for} || 0,
cut_retrieve => $opts->{cut_retrieve},
journal => $opts->{journal},
ditemid => $opts->{ditemid},
errref => $opts->{errref},
verbose_err => $opts->{verbose_err},
}
);
}
# clean JS out of embed module
sub clean_embed {
my ( $ref, $opts ) = @_;
return unless $$ref;
return unless LJ::is_enabled('embedmodule-cleancontent');
clean(
$ref,
{
addbreaks => 0,
mode => 'allow',
allow => [qw( object embed )],
deny => [qw( script )],
remove => [qw( script )],
conditional => [qw( iframe )],
ljcut_disable => 1,
cleancss => 1,
extractlinks => 0,
noautolinks => 1,
extractimages => 0,
noexpandembedded => 1,
transform_embed_nocheck => 1,
rewrite_embed_param => 1,
force_https_embed => $opts->{display_as_content},
# Embeds always come from somewhere else, so be conservative.
formatting => 'html',
at_mentions => 0,
}
);
}
sub get_okay_comment_tags {
return @comment_all;
}
# ref: scalarref of text to clean, gets cleaned in-place
# opts: either a hashref of opts:
# - preformatted: if true, don't insert breaks and auto-linkify
# - anon_comment: don't linkify things, and prevent tags
# or, opts can just be a boolean scalar, which implies the performatted tag
sub clean_comment {
my ( $ref, $opts ) = @_;
return 0 unless defined $$ref;
$opts = { preformatted => $opts } unless ref $opts;
# Formatting is specified with the `editor` prop, if present...
my $formatting = $opts->{editor};
# ...and if not, here's how we guess.
# Differences from entries: No magic !markdown, no syndicated content.
if ( !$formatting ) {
if ( $opts->{preformatted} ) {
$formatting = 'html_raw0';
}
elsif ( $opts->{is_imported} ) {
# LJ et al don't have @mentions
$formatting = 'html_casual0';
}
elsif ( $opts->{datepost} && $opts->{datepost} lt '2019-05' ) {
# Before @mentions were rolled out
$formatting = 'html_casual0';
}
else {
$formatting = 'html_casual1';
}
}
my %formatting_args = formatting_args($formatting);
return clean(
$ref,
{
%formatting_args,
eat => $opts->{anon_comment} ? \@comment_anon_eat : \@comment_eat,
mode => 'deny',
allow => \@comment_all,
cleancss => 1,
strongcleancss => 1,
extractlinks => $opts->{anon_comment},
extractimages => $opts->{anon_comment},
noearlyclose => 1,
nocss => $opts->{nocss},
textonly => $opts->{textonly} ? 1 : 0,
remove_positioning => 1,
remove_abs_sizes => $opts->{anon_comment},
}
);
}
sub clean_userbio {
my ( $ref, $strip_links ) = @_;
return undef unless ref $ref;
clean(
$ref,
{
addbreaks => 1,
attrstrip => [qw[style]],
mode => 'allow',
noearlyclose => 1,
eat => $userbio_eat,
remove => $userbio_remove,
cleancss => 1,
# Bios are always local, but for now, we are marking them as
# HTML so that people don't have to reformat everything.
formatting => 'html',
at_mentions => 1,
noautolinks => $strip_links,
extractlinks => $strip_links,
}
);
}
sub canonical_url {
my ( $url, $allow_all ) = @_;
$url ||= '';
# strip leading and trailing spaces
$url =~ s/^\s*//;
$url =~ s/\s*$//;
return '' unless $url;
unless ($allow_all) {
# see what protocol they want, default to http
my $pref = "http";
$pref = $1 if $url =~ /^(https?|ftp|webcal):/;
# strip out the protocol section
$url =~ s!^.*?:/*!!;
return '' unless $url;
# rebuild safe url
$url = "$pref://$url";
}
return $url;
}
sub https_url {
my ( $url, %opts ) = @_;
# https:// and the relative // protocol don't need proxying
return $url if $url =~ m!^(?:https://|//)!;
# if this link is on a site that supports HTTPS, upgrade the protocol
my $https_ok = %LJ::KNOWN_HTTPS_SITES ? \%LJ::KNOWN_HTTPS_SITES : {};
my ($domain) = ( $url =~ m!^http://[^/]*?([^.]+\.\w{2,3})/! );
if ( $domain && ( $domain eq $LJ::DOMAIN || $https_ok->{$domain} ) ) {
$url =~ s!^http:!https:!;
return $url;
}
return DW::Proxy::get_proxy_url(
$url,
journal => $opts{journal},
ditemid => $opts{ditemid}
) || $url;
}
sub quote_html {
my ( $string, $bool ) = @_;
return $string unless $bool;
# quote all non-LJ tags
$string =~ s{<(?!/?lj)(.*?)>} {<$1>}gi;
return $string;
}
# Map of known markup formats to the clean() options that implement their
# behavior. We only care about "real" format IDs here -- aliases are handled by
# DW::Formats. (You could argue the clean options belong in DW::Formats too, but
# this was a compromise to keep other code from knowing too much about the
# cleaner's internals.)
my %markup_formats = (
html_casual0 => {
formatting => 'html',
addbreaks => 1,
at_mentions => 0,
},
html_casual1 => {
formatting => 'html',
addbreaks => 1,
at_mentions => 1,
},
html_raw0 => {
formatting => 'html',
addbreaks => 0,
at_mentions => 0,
noautolinks => 1,
},
html_extra_raw => {
formatting => 'html',
addbreaks => 0,
at_mentions => 0,
noautolinks => 1,
nodwtags => 1,
},
markdown0 => {
formatting => 'markdown',
addbreaks => 0,
at_mentions => 1,
noautolinks => 1,
},
);
# Return a group of arguments to pass to clean() based on the requested format
sub formatting_args {
my $format = DW::Formats::validate( $_[0] );
my $args = $markup_formats{$format};
unless ( ref $args ) {
$args = $markup_formats{$DW::Formats::default_format};
}
return %$args;
}
sub convert_user_mentions {
my ( $ref, $opts ) = @_;
my $usertag = sub {
my ( $orig, $user, $site ) = ( $_[0], $_[1], $_[2] || $LJ::DOMAIN );
# atproto sites use FQDNs as usernames, so if the final segment of $site
# refers to one, the rest of $site is actually a part of the username.
my ( $atuser, $atsitename ) = split /\.([^.]+)$/, ( $orig =~ tr/@//dr );
if ($atsitename) {
my $atsite = DW::External::Site->get_site( site => $atsitename );
return user_link_html( $atuser, $atsitename, $opts )
if $atsite && $atsite->servicetype eq "atproto";
}
return user_link_html( $user, $site, $opts );
};
# First pass is just to look for an edge case where an unescaped
# username that needs to be converted is the first item in the string.
$$ref =~ s!^(\@([\w\-]+)(?:\.([\w\-\.]*[\w\-]))?)(?=$|\W)!$usertag->($1, $2, $3)!mge;
# Second pass is to look for all other occurrences of unescaped usernames.
# If we find an escaped username, remove the escape sequence and continue.
# We also have to look for (and explicitly ignore) Markdown-supported escape
# sequences here, to avoid parsing edge cases like '\\@foo' incorrectly
# (note that's two user-supplied backslashes). That's why the (\\.) case is
# actually (\\.) and not (\\\@).
$$ref =~ s!(\\.)|(?<=[^\w/])(\@([\w\-]+)(?:\.([\w\-\.]*[\w\-]))?)(?=$|\W)!
defined($1) ? ( $1 eq '\@' ? '@' : $1 ) : $usertag->($2, $3, $4)
!mge;
}
# Keys available in opts hashref:
# - textonly (ignored by ljuser_display et al.)
# - preserve_lj_tags_for (ignored by ljuser_display et al.)
# - no_ljuser_class
# - no_link
sub user_link_html {
# Generate HTML to link to a user
my ( $user, $site, $opts ) = @_;
# allow external sites
# do not use link to an external site if site attribute is current domain
if ( defined $site && $site ne $LJ::DOMAIN ) {
# try to load this user@site combination
if ( my $ext_u = DW::External::User->new( user => $user, site => $site ) ) {
# looks good, render
if ( $ext_u->site eq $opts->{preserve_lj_tags_for} ) {
# that's the crosspost destination, so send a native user tag.
return qq{};
}
elsif ( $opts->{textonly} ) {
# FIXME: need a textonly way of identifying users better? "user@LJ"?
return $user;
}
else {
return $ext_u->ljuser_display(%$opts);
}
# if we hit the else, then we know that this user doesn't appear
# to be valid at the requested site
}
else {
return
"[Bad username or site: "
. LJ::ehtml( LJ::no_utf8_flag($user) ) . " @ "
. LJ::ehtml( LJ::no_utf8_flag($site) ) . "]";
}
# failing that, no site or local site, use the local behavior
}
elsif ( length $user ) {
if ( my $u = LJ::load_user_or_identity($user) ) {
if ( $opts->{textonly} ) {
return $u->display_name;
}
else {
return $u->ljuser_display($opts);
}
}
elsif ( my $username = LJ::canonical_username($user) ) {
return LJ::ljuser( $user, $opts );
}
else {
$user = LJ::no_utf8_flag($user);
return "[Bad username or unknown identity: " . LJ::ehtml($user) . "]";
}
}
else {
return "[Unknown site tag]";
}
}
# detect and remove "!markdown" at beginning of entry text;
# return true if the marker was found, false otherwise
sub legacy_markdown {
my ($ref) = @_;
return $$ref =~ s/^\s*!markdown\s*\r?\n//is;
}
1;