1. Luke Plant
  2. haskellblog

Commits

Luke Plant  committed 8efb4e7

Fixed XSS security hole in formatRST

  • Participants
  • Parent commits dd06d70
  • Branches default

Comments (0)

Files changed (1)

File src/Blog/Formats.hs

View file
 import qualified Data.ByteString.Lazy.UTF8 as UTF8
 import qualified Data.Map as Map
 import qualified Text.Pandoc as Pandoc
+import qualified Text.Pandoc.Definition
 import qualified Text.XHtml as X
 
 data Format = Rawhtml
                     UTF8.toString
                     $ s
 
+removeRawHtml :: Text.Pandoc.Definition.Pandoc -> Text.Pandoc.Definition.Pandoc
+removeRawHtml (Text.Pandoc.Definition.Pandoc m blocks) = Text.Pandoc.Definition.Pandoc m (filter (not . isRawHtml) blocks)
+    where
+      isRawHtml (Text.Pandoc.Definition.RawHtml s) = True
+      isRawHtml _ = False
+
 formatRST :: String -> String
 formatRST = normaliseCRLF_S >>>
-            Pandoc.readRST Pandoc.defaultParserState >>>
+            Pandoc.readRST (Pandoc.defaultParserState { Pandoc.stateSanitizeHTML = False }) >>>
+            removeRawHtml >>>
             Pandoc.writeHtmlString Pandoc.defaultWriterOptions { Pandoc.writerStandalone = False }
 
 formatters :: Map.Map Format (String -> String)