[Rt-commit] rt branch, 4.2/html-gumbo-balancing, created. rt-4.2.2-6-gdc922ea
Alex Vandiver
alexmv at bestpractical.com
Wed Jan 15 17:01:55 EST 2014
The branch, 4.2/html-gumbo-balancing has been created
at dc922eab9e5c3fd8b7ab15afc61fe258d8cc530a (commit)
- Log -----------------------------------------------------------------
commit 6c0cbbbd1b6171e666b860704e0aee11d462e154
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Wed Jan 15 16:33:52 2014 -0500
Allow tables if HTML::Gumbo is installed
HTML::Gumbo deals with ensuring that content cannot "escape" from the
context that RT frames it in, by (for example) not allowing </td></tr>
if the content has not opened its own table. HTML::Gumbo has an
HTML::Parser-like interface, but it is not quite close enough to serve
as a drop-in replacement -- and the structure of HTML::Scrubber would
not make such a substitution easy.
As such, pre-parse the HTML content using Gumbo, if available, as a
pre-parsing step before HTML::Scrubber. This enables <table> tags and
their ilk to be enabled without posing a security risk.
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 0aebeed..f666ca4 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -3868,6 +3868,22 @@ if (RT->Config->Get('ShowTransactionImages') or RT->Config->Get('ShowRemoteImage
sub _NewScrubber {
require HTML::Scrubber;
my $scrubber = HTML::Scrubber->new();
+
+ if (eval "require HTML::Gumbo; 1") {
+ no warnings 'redefine';
+ my $orig = \&HTML::Scrubber::scrub;
+ *HTML::Scrubber::scrub = sub {
+ my $self = shift;
+
+ eval { $_[0] = HTML::Gumbo->new->parse( $_[0] ); chomp $_[0] };
+ warn "HTML::Gumbo pre-parse failed: $@" if $@;
+ return $orig->($self, @_);
+ };
+ push @SCRUBBER_ALLOWED_TAGS, qw/TABLE THEAD TBODY TFOOT TR TD TH/;
+ $SCRUBBER_ALLOWED_ATTRIBUTES{$_} = 1 for
+ qw/colspan rowspan align valign cellspacing cellpadding border width height/;
+ }
+
$scrubber->default(
0,
{
commit bb68df313ca7bd9a19a21b6f19e55abdef5421e5
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Wed Jan 15 16:42:47 2014 -0500
Allow additional CSS rules for borders and padding
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index f666ca4..a8d7f05 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -3836,6 +3836,12 @@ our %SCRUBBER_ALLOWED_ATTRIBUTES = (
font-family: \s* [\w\s"',.\-]+ |
font-weight: \s* [\w\-]+ |
+ border-style: \s* \w+ |
+ border-color: \s* [#\w]+ |
+ border-width: \s* [\s\w]+ |
+ padding: \s* [\s\w]+ |
+ margin: \s* [\s\w]+ |
+
# MS Office styles, which are probably fine. If we don't, then any
# associated styles in the same attribute get stripped.
mso-[\w\-]+?: \s* [\w\s"',.\-]+
commit dc922eab9e5c3fd8b7ab15afc61fe258d8cc530a
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Wed Jan 15 16:48:37 2014 -0500
Document that RT scrubs HTML, and note that HTML::Gumbo loosens those slightly
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index 309601d..39b8071 100755
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -1764,10 +1764,18 @@ Set($AlwaysDownloadAttachments, undef);
=item C<$PreferRichText>
-By default, RT shows rich text (HTML) messages if possible.
-
-If C<$PreferRichText> is set to 0, RT will show plain text messages
-in preference to any rich text alternatives.
+By default, RT shows rich text (HTML) messages if possible. If
+C<$PreferRichText> is set to 0, RT will show plain text messages in
+preference to any rich text alternatives.
+
+As a security precaution, RT limits the HTML that is displayed to a
+known-good subset -- as allowing arbitrary HTML to be displayed exposes
+multiple vectors for XSS and phishing attacks. If
+L</$TrustHTMLAttachments> is enabled, the original HTML is available for
+viewing via the "Download" link.
+
+If the optional L<HTML::Gumbo> dependency is installed, RT will leverage
+this to allow a broader set of HTML through, including tables.
=cut
-----------------------------------------------------------------------
More information about the rt-commit
mailing list