view release on metacpan or  search on metacpan

EscapeEvil.pm  view on Meta::CPAN

        $tmp_process =~ s/\?$//;
        push @{ $self->{processes} }, $tmp_process;
    }
    $self->SUPER::process( $process,
        ( $self->{allow_process} ) ? $process_text : &_escape($process_text) );
}

sub start {

    my ( $self, $tagname, $attr, $attrseq, $text ) = @_;
    $self->{_current_tag} = lc $tagname;
    if ( $self->is_allow_tags($tagname) ) {

        if ( !$self->allow_script ) {
## change javascript event handler(1 : allow) e.g <body onload="alert(1)"> => <body onload="void(0)">
            foreach ( keys %{$attr} ) {

                my $event = lc $_;
                if ( exists $JS_EVENT{$event} && !$JS_EVENT{$event} ) {

                    #delete $attr->{$event};
                    $attr->{$event} = "void(0)";
                }
            }

## change javascript <a href="javascript:evil_script('evil')"> => <a href="javascript:void(0)">
            if ( !$JS_EVENT{cite} && $attr->{href} =~ /^(java|vb)script:/i ) {

                $attr->{href} = "javascript:void(0)";
            }
## tag is generated again
            my $element = HTML::Element->new( $tagname, %{$attr} );
            $text = $element->starttag;
            $element->delete;
            $element = undef;
        }
    }
    else {
        $text = &_escape($text);
    }
    $self->SUPER::start( $tagname, $attr, $attrseq, $text );
}

sub end {

    my ( $self, $tagname, $text ) = @_;
    $self->{_current_tag} = undef;
    $text = &_escape($text) if !$self->is_allow_tags($tagname);
    $self->SUPER::end( $tagname, $text );
}

sub comment {

    my ( $self, $comment ) = @_;
    $comment = "<!--$comment-->";
    $self->output( ( $self->{allow_comment} ) ? $comment : &_escape($comment) );
}

sub text {

    my ( $self, $text, $is_cdata ) = @_;
    $text = &_escape($text);
    $text = &_unescape_entities($text) if $self->{allow_entity_reference};
    $text = &_unescape($text)
      if $is_cdata
      && $self->{_current_tag} eq "script"
      && $self->{allow_script};
    $text = &_unescape($text)
      if $is_cdata && $self->{_current_tag} eq "style" && $self->{allow_style};
    $self->SUPER::text( $text, $is_cdata );
}

sub output {

    my ( $self, $content ) = @_;
    push @{ $self->{_content} }, $content;
}

1;

__END__

=head1 NAME

HTML::EscapeEvil - Escape tag

=head1 VERSION

0.05

=head1 SYNPSIS

    use HTML::EscapeEvil;
    my $escapeevil = HTML::EscapeEvil->new;
    my $evil_html = <<HTML;
    <script type="text/javascript">
    <!--
    alert("script is evil tags!!");
    //-->
    </script>
    <iflame src="deny.html" width="100" height="100"></iframe>
    HTML

    $escapeevil->parse($html); #from string
    $escapeevil->parse_file($html_file); #from file or file handle

    my $clean_html = $escapeevil->filtered_html;
    $escapeevil->clear;

=head1 DESCRIPTION

The tag that doesn't want to permit escapes all.

=head1 METHOD

=head2 new

create instance

Example : 

    my $escapeevil = HTML::EscapeEvil->new(
                                         allow_comment => 1,
                                         allow_declaration => 0,
                                         allow_process => 0,
                                         allow_tags => [qw(a l l o w t a g s)],
                                         #allow_tags => "one",# OK
                                        );

Option :