From: Matthijs Kooijman Date: Sat, 25 Apr 2009 12:47:09 +0000 (+0200) Subject: Allow setting any safe attribute on image maps. X-Git-Url: https://git.stderr.nl/gitweb?a=commitdiff_plain;h=6b51b8a20155ffd69bd4a3275b9a58b102fc7d2e;p=matthijs%2Fprojects%2Fwipi.git Allow setting any safe attribute on image maps. This enables any attribute from the HTML 4.01 spec, except for javascript event handlers. --- diff --git a/plugin/parser/ImageMap.py b/plugin/parser/ImageMap.py index c4c33a8..a2a0867 100644 --- a/plugin/parser/ImageMap.py +++ b/plugin/parser/ImageMap.py @@ -57,6 +57,10 @@ and to alt="area_url" (for the different clickable areas). * Now also "title" supported to generate tooltips for the map areas. * Interwiki links can also be specified in "wiki:MoinMoin/Page" syntax now. + + Version ? + * Allow setting any HTML attribute that is allowed by the HTML4.01 spec, + except for javascript event handlers. """ @@ -64,6 +68,15 @@ import os, random from MoinMoin import wikiutil, config from MoinMoin.action import AttachFile +# Define the valid attributes for map and area elements. These are directly +# taken from the HTML4.01 spec at http://www.w3.org/TR/html401/ The lists below +# mimic the structure used in the HTML spec. +html_core_attrs = ['id', 'class', 'style', 'title'] +html_i18n = ['lang', 'dir'] +html_events = [] # event attributes left out for security reasons. +html_attrs = html_core_attrs + html_i18n + html_events +html_map_attrs = html_attrs + ['name'] +html_area_attrs = html_attrs + ['shape', 'coords', 'href', 'nohref', 'alt', 'tabindex', 'accesskey'] def _is_URL(text): return '://' in text @@ -73,6 +86,7 @@ def _is_InterWiki(text): def _is_allowed_Para(para, allowed_paras): found = False + para += '="' for p in allowed_paras: if para.startswith(p): found = True @@ -138,7 +152,7 @@ class Parser: # and: pic.png;height="10" onmouseover="ExecuteBadCode()";alt=".."; # and: pic.png;height="10" onmouseover="ExecuteBadCode()";alt=".."; p = _strip_Para(p) - if _is_allowed_Para(p, ['width="', 'height="', 'alt="', 'title="']): + if _is_allowed_Para(p, html_map_attrs): html += ' %s' % p # Prepare dict for formatter.image if formatter.rawHTML call fails key, value = p.split('=', 1) @@ -179,7 +193,7 @@ class Parser: # and: FrontPage;shape="rect" onmouseover="ExecuteBadCode()";coords=".."; # and: FrontPage;shape="rect" onmouseover="ExecuteBadCode()";coords=".."; i = _strip_Para(i) - if _is_allowed_Para(i, ['shape="', 'coords="', 'alt="', 'title="']): + if _is_allowed_Para(i, html_area_attrs): html += ' %s' % i # If there is no alt provided at all, set alt to area_url if p.lower().find('alt="') == -1: