mediawiki-extensions-Visual.../modules/parser/ext.core.Sanitizer.js

/*
 * General token sanitizer. Strips out (or encapsulates) unsafe and disallowed
 * tag types and attributes. Should run last in the third, synchronous
 * expansion stage. Tokens from extensions which should not be sanitized
 * can bypass sanitation by setting their rank to 3.
 *
 * @author Gabriel Wicke <gwicke@wikimedia.org>
 */

// Include general utilities
var Util = require('./ext.Util.js').Util,
	u = new Util();


function Sanitizer ( manager ) {
	this.manager = manager;
	this.register( manager );
}

// constants
Sanitizer.prototype.handledRank = 2.99;
Sanitizer.prototype.anyRank = 2.9901;


// Register this transformer with the TokenTransformer
Sanitizer.prototype.register = function ( manager ) {
	this.manager = manager;
	manager.addTransform( this.onAnchor.bind(this), this.handledRank, 'tag', 'a' );
	manager.addTransform( this.onAny.bind(this), this.anyRank, 'any' );
};

Sanitizer.prototype.onAnchor = function ( token ) {
	// perform something similar to Sanitizer::cleanUrl
	if ( token.constructor === EndTagTk ) {
		return { token: token };
	}
	var hrefKV = this.manager.env.lookupKV( token.attribs, 'href' );
	// FIXME: Should the flattening of attributes to text be performed as part
	// of the AttributeTransformManager processing? This certainly is not the
	// right place!
	if ( hrefKV !== null ) {
		hrefKV.v = this.manager.env.tokensToString( hrefKV.v );
		var bits = hrefKV.v.match( /(.*?\/\/)([^\/]+)(\/?.*)/ );
		if ( bits ) {
			proto = bits[1];
			host = bits[2];
			path = bits[3];
		} else {
			proto = '';
			host = '';
			path = hrefKV.v;
		}
		host = this._stripIDNs( host );
		hrefKV.v = proto + host + path;
	}
	return { token: token };
};

// XXX: We actually need to strip IDN ignored characters in the link text as
// well, so that readers are not mislead. This should perhaps happen at an
// earlier stage, while converting links to html.
Sanitizer.prototype._IDNRegexp = new RegExp(
		"[\t ]|" +  // general whitespace
		"\u00ad|" + // 00ad SOFT HYPHEN
		"\u1806|" + // 1806 MONGOLIAN TODO SOFT HYPHEN
		"\u200b|" + // 200b ZERO WIDTH SPACE
		"\u2060|" + // 2060 WORD JOINER
		"\ufeff|" + // feff ZERO WIDTH NO-BREAK SPACE
		"\u034f|" + // 034f COMBINING GRAPHEME JOINER
		"\u180b|" + // 180b MONGOLIAN FREE VARIATION SELECTOR ONE
		"\u180c|" + // 180c MONGOLIAN FREE VARIATION SELECTOR TWO
		"\u180d|" + // 180d MONGOLIAN FREE VARIATION SELECTOR THREE
		"\u200c|" + // 200c ZERO WIDTH NON-JOINER
		"\u200d|" + // 200d ZERO WIDTH JOINER
		"[\ufe00-\ufe0f]", // fe00-fe0f VARIATION SELECTOR-1-16
		'g' 
		);

Sanitizer.prototype._stripIDNs = function ( host ) {
	return host.replace( this._IDNRegexp, '' );
};
	
	
/**
 * Sanitize any tag.
 *
 * XXX: Make attribute sanitation reversible by storing round-trip info in
 * token.dataAttribs object (which is serialized as JSON in a data-rt
 * attribute in the DOM).
 */
Sanitizer.prototype.onAny = function ( token ) {
	// XXX: validate token type according to whitelist and convert non-ok ones
	// back to text.

	// Convert attributes to string, if necessary.
	// XXX: Likely better done in AttributeTransformManager when processing is
	// complete
	if ( token.attribs && token.attribs.length ) {
		var attribs = token.attribs.slice();
		var newToken = $.extend( {}, token );
		for ( var i = 0, l = attribs.length; i < l; i++ ) {
			var kv = attribs[i],
				k = kv.k,
				v = kv.v;

			if ( k.constructor === Array ) {
				k = this.manager.env.tokensToString ( k );
			}
			if ( v.constructor === Array ) {
				v = this.manager.env.tokensToString ( v );
			}
			if ( k === 'style' ) {
				v = this.checkCss(v);
			}
			attribs[i] = new KV( k, v );
		}
		//console.warn( 'sanitizer: ' + JSON.stringify([attribs, token], null, 2));
		newToken.attribs = attribs;
		token = newToken;
	}
	// XXX: Validate attributes
	return { token: token };
};

Sanitizer.prototype.checkCss = function ( value ) {
	if (/[\000-\010\016-\037\177]/.test(value)) {
		return '/* invalid control char */';
	}
	if (/expression|filter\s*:|accelerator\s*:|url\s*\(/i.test(value)) {
		return '/* insecure input */';
	}
	return value;
};

if (typeof module == "object") {
	module.exports.Sanitizer = Sanitizer;
}
Add the start of a minimal sanitizer stage, that only strips IDN ignored characters from host portions of links hrefs for now. This module needs to be filled up with pretty much everything Sanitizer.php does, including tag and attribute whitelists and attribute value sanitation (especially for style attributes). We'll also need to think about round-tripping of sanitized tokens. 2012-01-18 01:42:56 +00:00			`/*`
			`* General token sanitizer. Strips out (or encapsulates) unsafe and disallowed`
			`* tag types and attributes. Should run last in the third, synchronous`
			`* expansion stage. Tokens from extensions which should not be sanitized`
			`* can bypass sanitation by setting their rank to 3.`
			`*`
			`* @author Gabriel Wicke <gwicke@wikimedia.org>`
			`*/`

			`// Include general utilities`
			`var Util = require('./ext.Util.js').Util,`
			`u = new Util();`


			`function Sanitizer ( manager ) {`
Enable support for general preprocessor functionality in attribute keys and values. This includes comments, templates and template arguments. This also replaces the specialized expansion logic in the TemplateHandler. The removal of link validation lets one more parser test fail for now. External link target validation will need to be implemented in the token stream handler for links. This is noted as TODO in https://www.mediawiki.org/wiki/Future/Parser_development#Token_stream_transforms. 2012-02-08 15:10:30 +00:00			`this.manager = manager;`
Add the start of a minimal sanitizer stage, that only strips IDN ignored characters from host portions of links hrefs for now. This module needs to be filled up with pretty much everything Sanitizer.php does, including tag and attribute whitelists and attribute value sanitation (especially for style attributes). We'll also need to think about round-tripping of sanitized tokens. 2012-01-18 01:42:56 +00:00			`this.register( manager );`
			`}`

			`// constants`
			`Sanitizer.prototype.handledRank = 2.99;`
			`Sanitizer.prototype.anyRank = 2.9901;`


			`// Register this transformer with the TokenTransformer`
			`Sanitizer.prototype.register = function ( manager ) {`
			`this.manager = manager;`
			`manager.addTransform( this.onAnchor.bind(this), this.handledRank, 'tag', 'a' );`
* Add custom toString methods for tokens to aid debugging * Convert all attributes into strings in Sanitizer * Use strict comparison against empty string in tokenizer * Add very simple sitename parserfunction * 138 tests passing 2012-02-13 17:02:23 +00:00			`manager.addTransform( this.onAny.bind(this), this.anyRank, 'any' );`
Add the start of a minimal sanitizer stage, that only strips IDN ignored characters from host portions of links hrefs for now. This module needs to be filled up with pretty much everything Sanitizer.php does, including tag and attribute whitelists and attribute value sanitation (especially for style attributes). We'll also need to think about round-tripping of sanitized tokens. 2012-01-18 01:42:56 +00:00			`};`

			`Sanitizer.prototype.onAnchor = function ( token ) {`
			`// perform something similar to Sanitizer::cleanUrl`
Remove type attribute for tag tokens. 2012-02-01 18:37:48 +00:00			`if ( token.constructor === EndTagTk ) {`
Add the start of a minimal sanitizer stage, that only strips IDN ignored characters from host portions of links hrefs for now. This module needs to be filled up with pretty much everything Sanitizer.php does, including tag and attribute whitelists and attribute value sanitation (especially for style attributes). We'll also need to think about round-tripping of sanitized tokens. 2012-01-18 01:42:56 +00:00			`return { token: token };`
			`}`
			`var hrefKV = this.manager.env.lookupKV( token.attribs, 'href' );`
Enable support for general preprocessor functionality in attribute keys and values. This includes comments, templates and template arguments. This also replaces the specialized expansion logic in the TemplateHandler. The removal of link validation lets one more parser test fail for now. External link target validation will need to be implemented in the token stream handler for links. This is noted as TODO in https://www.mediawiki.org/wiki/Future/Parser_development#Token_stream_transforms. 2012-02-08 15:10:30 +00:00			`// FIXME: Should the flattening of attributes to text be performed as part`
			`// of the AttributeTransformManager processing? This certainly is not the`
			`// right place!`
Add the start of a minimal sanitizer stage, that only strips IDN ignored characters from host portions of links hrefs for now. This module needs to be filled up with pretty much everything Sanitizer.php does, including tag and attribute whitelists and attribute value sanitation (especially for style attributes). We'll also need to think about round-tripping of sanitized tokens. 2012-01-18 01:42:56 +00:00			`if ( hrefKV !== null ) {`
Enable support for general preprocessor functionality in attribute keys and values. This includes comments, templates and template arguments. This also replaces the specialized expansion logic in the TemplateHandler. The removal of link validation lets one more parser test fail for now. External link target validation will need to be implemented in the token stream handler for links. This is noted as TODO in https://www.mediawiki.org/wiki/Future/Parser_development#Token_stream_transforms. 2012-02-08 15:10:30 +00:00			`hrefKV.v = this.manager.env.tokensToString( hrefKV.v );`
Change token format to plain strings for text tokens, and specific objects for other tokens. This is only the first half of the conversion. The next step is to drop the type attribute on most tokens and match on the constructor in the token transform machinery. 2012-02-01 16:30:43 +00:00			`var bits = hrefKV.v.match( /(.?\/\/)([^\/]+)(\/?.)/ );`
Add the start of a minimal sanitizer stage, that only strips IDN ignored characters from host portions of links hrefs for now. This module needs to be filled up with pretty much everything Sanitizer.php does, including tag and attribute whitelists and attribute value sanitation (especially for style attributes). We'll also need to think about round-tripping of sanitized tokens. 2012-01-18 01:42:56 +00:00			`if ( bits ) {`
			`proto = bits[1];`
			`host = bits[2];`
			`path = bits[3];`
			`} else {`
			`proto = '';`
			`host = '';`
Change token format to plain strings for text tokens, and specific objects for other tokens. This is only the first half of the conversion. The next step is to drop the type attribute on most tokens and match on the constructor in the token transform machinery. 2012-02-01 16:30:43 +00:00			`path = hrefKV.v;`
Add the start of a minimal sanitizer stage, that only strips IDN ignored characters from host portions of links hrefs for now. This module needs to be filled up with pretty much everything Sanitizer.php does, including tag and attribute whitelists and attribute value sanitation (especially for style attributes). We'll also need to think about round-tripping of sanitized tokens. 2012-01-18 01:42:56 +00:00			`}`
			`host = this._stripIDNs( host );`
Change token format to plain strings for text tokens, and specific objects for other tokens. This is only the first half of the conversion. The next step is to drop the type attribute on most tokens and match on the constructor in the token transform machinery. 2012-02-01 16:30:43 +00:00			`hrefKV.v = proto + host + path;`
Add the start of a minimal sanitizer stage, that only strips IDN ignored characters from host portions of links hrefs for now. This module needs to be filled up with pretty much everything Sanitizer.php does, including tag and attribute whitelists and attribute value sanitation (especially for style attributes). We'll also need to think about round-tripping of sanitized tokens. 2012-01-18 01:42:56 +00:00			`}`
			`return { token: token };`
			`};`

			`// XXX: We actually need to strip IDN ignored characters in the link text as`
			`// well, so that readers are not mislead. This should perhaps happen at an`
			`// earlier stage, while converting links to html.`
			`Sanitizer.prototype._IDNRegexp = new RegExp(`
			`"[\t ]\|" + // general whitespace`
			`"\u00ad\|" + // 00ad SOFT HYPHEN`
			`"\u1806\|" + // 1806 MONGOLIAN TODO SOFT HYPHEN`
			`"\u200b\|" + // 200b ZERO WIDTH SPACE`
			`"\u2060\|" + // 2060 WORD JOINER`
			`"\ufeff\|" + // feff ZERO WIDTH NO-BREAK SPACE`
			`"\u034f\|" + // 034f COMBINING GRAPHEME JOINER`
			`"\u180b\|" + // 180b MONGOLIAN FREE VARIATION SELECTOR ONE`
			`"\u180c\|" + // 180c MONGOLIAN FREE VARIATION SELECTOR TWO`
			`"\u180d\|" + // 180d MONGOLIAN FREE VARIATION SELECTOR THREE`
			`"\u200c\|" + // 200c ZERO WIDTH NON-JOINER`
			`"\u200d\|" + // 200d ZERO WIDTH JOINER`
* Add custom toString methods for tokens to aid debugging * Convert all attributes into strings in Sanitizer * Use strict comparison against empty string in tokenizer * Add very simple sitename parserfunction * 138 tests passing 2012-02-13 17:02:23 +00:00			`"[\ufe00-\ufe0f]", // fe00-fe0f VARIATION SELECTOR-1-16`
			`'g'`
Add the start of a minimal sanitizer stage, that only strips IDN ignored characters from host portions of links hrefs for now. This module needs to be filled up with pretty much everything Sanitizer.php does, including tag and attribute whitelists and attribute value sanitation (especially for style attributes). We'll also need to think about round-tripping of sanitized tokens. 2012-01-18 01:42:56 +00:00			`);`

			`Sanitizer.prototype._stripIDNs = function ( host ) {`
			`return host.replace( this._IDNRegexp, '' );`
			`};`



* Add custom toString methods for tokens to aid debugging * Convert all attributes into strings in Sanitizer * Use strict comparison against empty string in tokenizer * Add very simple sitename parserfunction * 138 tests passing 2012-02-13 17:02:23 +00:00			`/**`
			`* Sanitize any tag.`
Add some comments to the Sanitizer 2012-02-20 11:14:53 +00:00			`*`
			`* XXX: Make attribute sanitation reversible by storing round-trip info in`
Rename data-mw into data-rt This hopefully makes it clearer that data-rt contains private round-trip info instead of semantically interesting data. Change-Id: I03b476ed112a4b627c9871ee3677c450f943429a 2012-07-16 19:10:08 +00:00			`* token.dataAttribs object (which is serialized as JSON in a data-rt`
Add some comments to the Sanitizer 2012-02-20 11:14:53 +00:00			`* attribute in the DOM).`
* Add custom toString methods for tokens to aid debugging * Convert all attributes into strings in Sanitizer * Use strict comparison against empty string in tokenizer * Add very simple sitename parserfunction * 138 tests passing 2012-02-13 17:02:23 +00:00			`*/`
			`Sanitizer.prototype.onAny = function ( token ) {`
			`// XXX: validate token type according to whitelist and convert non-ok ones`
			`// back to text.`

			`// Convert attributes to string, if necessary.`
Add some comments to the Sanitizer 2012-02-20 11:14:53 +00:00			`// XXX: Likely better done in AttributeTransformManager when processing is`
			`// complete`
Delay some token duplication until actual mutation happens This is a bit better than cloning tokens wholesale, but not by much. There is a lot of potential for much better per-token caching with reduced token cloning. Need to map out all dependencies besides token attributes expanded from template parameters or other scoped state. Even if tokens themselves don't need transformation, they might still need to be considered for other token transformers, so simply keeping the final rank won't quite work even if the token itself is fully transformed. As a minimum, a shallow clone would need to be made and the rank reset (as in env.cloneTokens). Change-Id: I4329113bb21750bae9a635229ed1b08da75dc614 2012-04-18 15:53:04 +00:00			`if ( token.attribs && token.attribs.length ) {`
			`var attribs = token.attribs.slice();`
			`var newToken = $.extend( {}, token );`
			`for ( var i = 0, l = attribs.length; i < l; i++ ) {`
			`var kv = attribs[i],`
			`k = kv.k,`
			`v = kv.v;`

			`if ( k.constructor === Array ) {`
			`k = this.manager.env.tokensToString ( k );`
* Add custom toString methods for tokens to aid debugging * Convert all attributes into strings in Sanitizer * Use strict comparison against empty string in tokenizer * Add very simple sitename parserfunction * 138 tests passing 2012-02-13 17:02:23 +00:00			`}`
Delay some token duplication until actual mutation happens This is a bit better than cloning tokens wholesale, but not by much. There is a lot of potential for much better per-token caching with reduced token cloning. Need to map out all dependencies besides token attributes expanded from template parameters or other scoped state. Even if tokens themselves don't need transformation, they might still need to be considered for other token transformers, so simply keeping the final rank won't quite work even if the token itself is fully transformed. As a minimum, a shallow clone would need to be made and the rank reset (as in env.cloneTokens). Change-Id: I4329113bb21750bae9a635229ed1b08da75dc614 2012-04-18 15:53:04 +00:00			`if ( v.constructor === Array ) {`
			`v = this.manager.env.tokensToString ( v );`
* Add custom toString methods for tokens to aid debugging * Convert all attributes into strings in Sanitizer * Use strict comparison against empty string in tokenizer * Add very simple sitename parserfunction * 138 tests passing 2012-02-13 17:02:23 +00:00			`}`
Delay some token duplication until actual mutation happens This is a bit better than cloning tokens wholesale, but not by much. There is a lot of potential for much better per-token caching with reduced token cloning. Need to map out all dependencies besides token attributes expanded from template parameters or other scoped state. Even if tokens themselves don't need transformation, they might still need to be considered for other token transformers, so simply keeping the final rank won't quite work even if the token itself is fully transformed. As a minimum, a shallow clone would need to be made and the rank reset (as in env.cloneTokens). Change-Id: I4329113bb21750bae9a635229ed1b08da75dc614 2012-04-18 15:53:04 +00:00			`if ( k === 'style' ) {`
			`v = this.checkCss(v);`
* Rudimentary CSS validation; +4 tests pass. (Bug 2304, 3244). 2012-02-18 20:16:23 +00:00			`}`
Delay some token duplication until actual mutation happens This is a bit better than cloning tokens wholesale, but not by much. There is a lot of potential for much better per-token caching with reduced token cloning. Need to map out all dependencies besides token attributes expanded from template parameters or other scoped state. Even if tokens themselves don't need transformation, they might still need to be considered for other token transformers, so simply keeping the final rank won't quite work even if the token itself is fully transformed. As a minimum, a shallow clone would need to be made and the rank reset (as in env.cloneTokens). Change-Id: I4329113bb21750bae9a635229ed1b08da75dc614 2012-04-18 15:53:04 +00:00			`attribs[i] = new KV( k, v );`
* Add custom toString methods for tokens to aid debugging * Convert all attributes into strings in Sanitizer * Use strict comparison against empty string in tokenizer * Add very simple sitename parserfunction * 138 tests passing 2012-02-13 17:02:23 +00:00			`}`
Big token transform framework overhaul part 2 * Tokens are now immutable. The progress of transformations is tracked on chunks instead of tokens. Tokenizer output is cached and can be directly returned without a need for cloning. Transforms are required to clone or newly create tokens they are modifying. * Expansions per chunk are now shared between equivalent frames via a cache stored on the chunk itself. Equivalence of frames is not yet ideal though, as right now a hash tree of unexpanded arguments is used. This should be switched to a hash of the fully expanded local parameters instead. * There is now a vastly improved maybeSyncReturn wrapper for async transforms that either forwards processing to the iterative transformTokens if the current transform is still ongoing, or manages a recursive transformation if needed. * Parameters for parser functions are now wrapped in abstract Params and ParserValue objects, which support some handy on-demand value expansions. Keys are always expanded. Parser functions are converted to use these interfaces, and now properly expand their values in the correct frame. Making this expansion lazier is certainly possible, but would complicate transformTokens and other token-handling machinery. Need to investigate if it would really be worth it. Dead branch elimination is certainly a bigger win overall. * Complex recursive asynchronous expansions should now be closer to correct for both the iterative (transformTokens) and recursive (maybeSyncReturn after transformTokens has returned) code paths. * Performance degraded slightly. There are no micro-optimizations done yet and the shared expansion cache still has a low hit rate. The progress tracking on chunks is not yet perfect, so there are likely a lot of unneeded re-expansions that can be easily eliminated. There is also more debug tracing right now. Obama currently expands in 54 seconds on my laptop. Change-Id: I4a603f3d3c70ca657ebda9fbb8570269f943d6b6 2012-05-10 08:04:24 +00:00			`//console.warn( 'sanitizer: ' + JSON.stringify([attribs, token], null, 2));`
Delay some token duplication until actual mutation happens This is a bit better than cloning tokens wholesale, but not by much. There is a lot of potential for much better per-token caching with reduced token cloning. Need to map out all dependencies besides token attributes expanded from template parameters or other scoped state. Even if tokens themselves don't need transformation, they might still need to be considered for other token transformers, so simply keeping the final rank won't quite work even if the token itself is fully transformed. As a minimum, a shallow clone would need to be made and the rank reset (as in env.cloneTokens). Change-Id: I4329113bb21750bae9a635229ed1b08da75dc614 2012-04-18 15:53:04 +00:00			`newToken.attribs = attribs;`
			`token = newToken;`
* Add custom toString methods for tokens to aid debugging * Convert all attributes into strings in Sanitizer * Use strict comparison against empty string in tokenizer * Add very simple sitename parserfunction * 138 tests passing 2012-02-13 17:02:23 +00:00			`}`
			`// XXX: Validate attributes`
			`return { token: token };`
			`};`
Add the start of a minimal sanitizer stage, that only strips IDN ignored characters from host portions of links hrefs for now. This module needs to be filled up with pretty much everything Sanitizer.php does, including tag and attribute whitelists and attribute value sanitation (especially for style attributes). We'll also need to think about round-tripping of sanitized tokens. 2012-01-18 01:42:56 +00:00
* Rudimentary CSS validation; +4 tests pass. (Bug 2304, 3244). 2012-02-18 20:16:23 +00:00			`Sanitizer.prototype.checkCss = function ( value ) {`
			`if (/[\000-\010\016-\037\177]/.test(value)) {`
			`return '/* invalid control char */';`
			`}`
			`if (/expression\|filter\s:\|accelerator\s:\|url\s*\(/i.test(value)) {`
			`return '/* insecure input */';`
			`}`
			`return value;`
			`};`

Add the start of a minimal sanitizer stage, that only strips IDN ignored characters from host portions of links hrefs for now. This module needs to be filled up with pretty much everything Sanitizer.php does, including tag and attribute whitelists and attribute value sanitation (especially for style attributes). We'll also need to think about round-tripping of sanitized tokens. 2012-01-18 01:42:56 +00:00			`if (typeof module == "object") {`
			`module.exports.Sanitizer = Sanitizer;`
			`}`