Ideone.com

fork download

copy

use strict;
use warnings;
 
# allowed tag and attribute names
 
my $allowed_tags_open = 'p|body|b|u|em|strong|ul|ol|li|h1|h2|h3|h4|h5|h6|a|tr|td|table|tbody|label|div|sup|sub|caption';
 
my $allowed_tags_self_closing = 'img|br|hr';
 
my $allowed_attributes = 'alt|href|tcmuri|title|height|width|align|valign|rowspan|colspan|src|summary|class|id|name|title|target|nowrap|scope|axis|cellpadding|cellspacing|dir|lang|rel';
 
$allowed_attributes .= '|style'; # for testing
 
 
# definitions for matching allowed tag and attribute names
 
my $re_tags = qr~(?(DEFINE)
    (?<tags_open>
        /?+
        (?>
            (?: $allowed_tags_open )
            (?! [^\s>/] )       # from (?&tagname)
        )
    )
    (?<tags_self_closing>
        (?>
            (?: $allowed_tags_self_closing )
            (?! [^\s>/] )       # from (?&tagname)
        )
    )
    (?<tags>    (?> (?&tags_open) | (?&tags_self_closing) )    )
    (?<attribs>
        (?>
            (?: $allowed_attributes )
            (?! [^\s=/>] )      # from (?&attname)
        )
    )
)~xi;
 
 
# definitions for matching the tags
# trying to follow compatible tokenization characteristics of modern browsers
 
my $re_defs = qr~(?(DEFINE)
    (?<tagname> [a-z/][^\s>/]*+    )    # will match the leading / in closing tags
    (?<attname> [^\s>/][^\s=/>]*+    )  # first char can be pretty much anything, including =
    (?<attval>  (?>
                    "[^"]*+" |
                    \'[^\']*+\' |
                    [^\s>]*+            # unquoted values can contain quotes, = and /
                )
    ) 
    (?<attrib>  (?&attname)
                (?: \s*+
                    = \s*+
                    (?&attval)
                )?+
    )
    (?<crap>    (?!/>)[^\s>]    )       # most crap inside tag is ignored, but don't eat the last / in self closing tags
    (?<tag>     <(?&tagname)
                (?: \s*+                # spaces between attributes not required: <b/foo=">"style=color:red>bold red text</b>
                    (?>
                        (?&attrib) |    # order matters
                        (?&crap)        # if not an attribute, eat the crap
                    )
                )*+
                \s*+ /?+
                >
    )
)~xi;
 
 
 
sub sanitize_html{
    my $str = shift;
    $str =~ s/(?&tag) $re_defs/ sanitize_tag($&) /gexo;
    return $str;
}
 
 
sub sanitize_tag{
    my $tag = shift;
 
    my ($name, $attr, $end) =
        $tag =~ /^ < ((?&tags)) (.*?) ( \/?+ > ) $   $re_tags/xo
        or return '';  # return empty string if not allowed tag
 
    # return a new clean closing tag if it's a closing tag
    return "<$name>" if substr($name, 0, 1) eq '/';
 
    # clean attributes
    return "<$name" . sanitize_attributes($attr) . $end;
}
 
 
sub sanitize_attributes{
    my $attr = shift;
    my $new = '';
 
    $attr =~ s{
        \G
        \s*+                 # spaces between attributes not required
        (?>
            ( (?&attrib) ) | # order matters
            (?&crap)         # if not an attribute, eat the crap
        )
 
        $re_defs
    }{
        my $att = $1;
        $new .= " $att" if $att && $att =~ /^(?&attribs) $re_tags/xo;
        '';
    }gexo;
 
    return $new;
}
 
 
### test
 
my $test = <<'_TEST_';
<b>simple</b>
self <img>closing</img>
 
<abc id="test">new tag and known attribute</abc>
<a id="test" xyz="testattr" href="/foo">one unknown attr</a>
<a id="foo">attr in closing tag</a id="foo">
 
<b/#ñ%&/()!¢º`=">="">crap be gone</b> not bold<br/x"/>
<b/style=color:red;background:url("x.gif");/*="still.CSS*/ id="x"zz"<script class="x">tricky</b/ x=">"//> not bold
_TEST_
 
print $test, "\n";
print '-' x 70, "\n";
print sanitize_html $test;

dXNlIHN0cmljdDsKdXNlIHdhcm5pbmdzOwoKIyBhbGxvd2VkIHRhZyBhbmQgYXR0cmlidXRlIG5hbWVzCgpteSAkYWxsb3dlZF90YWdzX29wZW4gPSAncHxib2R5fGJ8dXxlbXxzdHJvbmd8dWx8b2x8bGl8aDF8aDJ8aDN8aDR8aDV8aDZ8YXx0cnx0ZHx0YWJsZXx0Ym9keXxsYWJlbHxkaXZ8c3VwfHN1YnxjYXB0aW9uJzsKCm15ICRhbGxvd2VkX3RhZ3Nfc2VsZl9jbG9zaW5nID0gJ2ltZ3xicnxocic7CgpteSAkYWxsb3dlZF9hdHRyaWJ1dGVzID0gJ2FsdHxocmVmfHRjbXVyaXx0aXRsZXxoZWlnaHR8d2lkdGh8YWxpZ258dmFsaWdufHJvd3NwYW58Y29sc3BhbnxzcmN8c3VtbWFyeXxjbGFzc3xpZHxuYW1lfHRpdGxlfHRhcmdldHxub3dyYXB8c2NvcGV8YXhpc3xjZWxscGFkZGluZ3xjZWxsc3BhY2luZ3xkaXJ8bGFuZ3xyZWwnOwoKJGFsbG93ZWRfYXR0cmlidXRlcyAuPSAnfHN0eWxlJzsgIyBmb3IgdGVzdGluZwoKCiMgZGVmaW5pdGlvbnMgZm9yIG1hdGNoaW5nIGFsbG93ZWQgdGFnIGFuZCBhdHRyaWJ1dGUgbmFtZXMKCm15ICRyZV90YWdzID0gcXJ+KD8oREVGSU5FKQogICAgKD88dGFnc19vcGVuPgogICAgICAgIC8/KwogICAgICAgICg/PgogICAgICAgICAgICAoPzogJGFsbG93ZWRfdGFnc19vcGVuICkKICAgICAgICAgICAgKD8hIFteXHM+L10gKSAgICAgICAjIGZyb20gKD8mdGFnbmFtZSkKICAgICAgICApCiAgICApCiAgICAoPzx0YWdzX3NlbGZfY2xvc2luZz4KICAgICAgICAoPz4KICAgICAgICAgICAgKD86ICRhbGxvd2VkX3RhZ3Nfc2VsZl9jbG9zaW5nICkKICAgICAgICAgICAgKD8hIFteXHM+L10gKSAgICAgICAjIGZyb20gKD8mdGFnbmFtZSkKICAgICAgICApCiAgICApCiAgICAoPzx0YWdzPiAgICAoPz4gKD8mdGFnc19vcGVuKSB8ICg/JnRhZ3Nfc2VsZl9jbG9zaW5nKSApICAgICkKICAgICg/PGF0dHJpYnM+CiAgICAgICAgKD8+CiAgICAgICAgICAgICg/OiAkYWxsb3dlZF9hdHRyaWJ1dGVzICkKICAgICAgICAgICAgKD8hIFteXHM9Lz5dICkgICAgICAjIGZyb20gKD8mYXR0bmFtZSkKICAgICAgICApCiAgICApCil+eGk7CgoKIyBkZWZpbml0aW9ucyBmb3IgbWF0Y2hpbmcgdGhlIHRhZ3MKIyB0cnlpbmcgdG8gZm9sbG93IGNvbXBhdGlibGUgdG9rZW5pemF0aW9uIGNoYXJhY3RlcmlzdGljcyBvZiBtb2Rlcm4gYnJvd3NlcnMKCm15ICRyZV9kZWZzID0gcXJ+KD8oREVGSU5FKQogICAgKD88dGFnbmFtZT4gW2Etei9dW15ccz4vXSorICAgICkgICAgIyB3aWxsIG1hdGNoIHRoZSBsZWFkaW5nIC8gaW4gY2xvc2luZyB0YWdzCiAgICAoPzxhdHRuYW1lPiBbXlxzPi9dW15ccz0vPl0qKyAgICApICAjIGZpcnN0IGNoYXIgY2FuIGJlIHByZXR0eSBtdWNoIGFueXRoaW5nLCBpbmNsdWRpbmcgPQogICAgKD88YXR0dmFsPiAgKD8+CiAgICAgICAgICAgICAgICAgICAgIlteIl0qKyIgfAogICAgICAgICAgICAgICAgICAgIFwnW15cJ10qK1wnIHwKICAgICAgICAgICAgICAgICAgICBbXlxzPl0qKyAgICAgICAgICAgICMgdW5xdW90ZWQgdmFsdWVzIGNhbiBjb250YWluIHF1b3RlcywgPSBhbmQgLwogICAgICAgICAgICAgICAgKQogICAgKSAKICAgICg/PGF0dHJpYj4gICg/JmF0dG5hbWUpCiAgICAgICAgICAgICAgICAoPzogXHMqKwogICAgICAgICAgICAgICAgICAgID0gXHMqKwogICAgICAgICAgICAgICAgICAgICg/JmF0dHZhbCkKICAgICAgICAgICAgICAgICk/KwogICAgKQogICAgKD88Y3JhcD4gICAgKD8hLz4pW15ccz5dICAgICkgICAgICAgIyBtb3N0IGNyYXAgaW5zaWRlIHRhZyBpcyBpZ25vcmVkLCBidXQgZG9uJ3QgZWF0IHRoZSBsYXN0IC8gaW4gc2VsZiBjbG9zaW5nIHRhZ3MKICAgICg/PHRhZz4gICAgIDwoPyZ0YWduYW1lKQogICAgICAgICAgICAgICAgKD86IFxzKisgICAgICAgICAgICAgICAgIyBzcGFjZXMgYmV0d2VlbiBhdHRyaWJ1dGVzIG5vdCByZXF1aXJlZDogPGIvZm9vPSI+InN0eWxlPWNvbG9yOnJlZD5ib2xkIHJlZCB0ZXh0PC9iPgogICAgICAgICAgICAgICAgICAgICg/PgogICAgICAgICAgICAgICAgICAgICAgICAoPyZhdHRyaWIpIHwgICAgIyBvcmRlciBtYXR0ZXJzCiAgICAgICAgICAgICAgICAgICAgICAgICg/JmNyYXApICAgICAgICAjIGlmIG5vdCBhbiBhdHRyaWJ1dGUsIGVhdCB0aGUgY3JhcAogICAgICAgICAgICAgICAgICAgICkKICAgICAgICAgICAgICAgICkqKwogICAgICAgICAgICAgICAgXHMqKyAvPysKICAgICAgICAgICAgICAgID4KICAgICkKKX54aTsKCgoKc3ViIHNhbml0aXplX2h0bWx7CiAgICBteSAkc3RyID0gc2hpZnQ7CiAgICAkc3RyID1+IHMvKD8mdGFnKSAkcmVfZGVmcy8gc2FuaXRpemVfdGFnKCQmKSAvZ2V4bzsKICAgIHJldHVybiAkc3RyOwp9CgoKc3ViIHNhbml0aXplX3RhZ3sKICAgIG15ICR0YWcgPSBzaGlmdDsKICAgIAogICAgbXkgKCRuYW1lLCAkYXR0ciwgJGVuZCkgPQogICAgICAgICR0YWcgPX4gL14gPCAoKD8mdGFncykpICguKj8pICggXC8/KyA+ICkgJCAgICRyZV90YWdzL3hvCiAgICAgICAgb3IgcmV0dXJuICcnOyAgIyByZXR1cm4gZW1wdHkgc3RyaW5nIGlmIG5vdCBhbGxvd2VkIHRhZwogICAgCiAgICAjIHJldHVybiBhIG5ldyBjbGVhbiBjbG9zaW5nIHRhZyBpZiBpdCdzIGEgY2xvc2luZyB0YWcKICAgIHJldHVybiAiPCRuYW1lPiIgaWYgc3Vic3RyKCRuYW1lLCAwLCAxKSBlcSAnLyc7CiAgICAKICAgICMgY2xlYW4gYXR0cmlidXRlcwogICAgcmV0dXJuICI8JG5hbWUiIC4gc2FuaXRpemVfYXR0cmlidXRlcygkYXR0cikgLiAkZW5kOwp9CgoKc3ViIHNhbml0aXplX2F0dHJpYnV0ZXN7CiAgICBteSAkYXR0ciA9IHNoaWZ0OwogICAgbXkgJG5ldyA9ICcnOwogICAgCiAgICAkYXR0ciA9fiBzewogICAgICAgIFxHCiAgICAgICAgXHMqKyAgICAgICAgICAgICAgICAgIyBzcGFjZXMgYmV0d2VlbiBhdHRyaWJ1dGVzIG5vdCByZXF1aXJlZAogICAgICAgICg/PgogICAgICAgICAgICAoICg/JmF0dHJpYikgKSB8ICMgb3JkZXIgbWF0dGVycwogICAgICAgICAgICAoPyZjcmFwKSAgICAgICAgICMgaWYgbm90IGFuIGF0dHJpYnV0ZSwgZWF0IHRoZSBjcmFwCiAgICAgICAgKQogICAgICAgIAogICAgICAgICRyZV9kZWZzCiAgICB9ewogICAgICAgIG15ICRhdHQgPSAkMTsKICAgICAgICAkbmV3IC49ICIgJGF0dCIgaWYgJGF0dCAmJiAkYXR0ID1+IC9eKD8mYXR0cmlicykgJHJlX3RhZ3MveG87CiAgICAgICAgJyc7CiAgICB9Z2V4bzsKICAgIAogICAgcmV0dXJuICRuZXc7Cn0KCgojIyMgdGVzdAoKbXkgJHRlc3QgPSA8PCdfVEVTVF8nOwo8Yj5zaW1wbGU8L2I+CnNlbGYgPGltZz5jbG9zaW5nPC9pbWc+Cgo8YWJjIGlkPSJ0ZXN0Ij5uZXcgdGFnIGFuZCBrbm93biBhdHRyaWJ1dGU8L2FiYz4KPGEgaWQ9InRlc3QiIHh5ej0idGVzdGF0dHIiIGhyZWY9Ii9mb28iPm9uZSB1bmtub3duIGF0dHI8L2E+CjxhIGlkPSJmb28iPmF0dHIgaW4gY2xvc2luZyB0YWc8L2EgaWQ9ImZvbyI+Cgo8Yi8jw7ElJi8oKSHCosK6YD0iPj0iIj5jcmFwIGJlIGdvbmU8L2I+IG5vdCBib2xkPGJyL3giLz4KPGIvc3R5bGU9Y29sb3I6cmVkO2JhY2tncm91bmQ6dXJsKCJ4LmdpZiIpOy8qPSJzdGlsbC5DU1MqLyBpZD0ieCJ6eiI8c2NyaXB0IGNsYXNzPSJ4Ij50cmlja3k8L2IvIHg9Ij4iLy8+IG5vdCBib2xkCl9URVNUXwoKcHJpbnQgJHRlc3QsICJcbiI7CnByaW50ICctJyB4IDcwLCAiXG4iOwpwcmludCBzYW5pdGl6ZV9odG1sICR0ZXN0Owo=

Success #stdin #stdout 0s 4728KB

stdin

copy

Standard input is empty

stdout

copy

<b>simple</b>
self <img>closing</img>

<abc id="test">new tag and known attribute</abc>
<a id="test" xyz="testattr" href="/foo">one unknown attr</a>
<a id="foo">attr in closing tag</a id="foo">

<b/#ñ%&/()!¢º`=">="">crap be gone</b> not bold<br/x"/>
<b/style=color:red;background:url("x.gif");/*="still.CSS*/ id="x"zz"<script class="x">tricky</b/ x=">"//> not bold

----------------------------------------------------------------------
<b>simple</b>
self <img>closing

new tag and known attribute
<a id="test" href="/foo">one unknown attr</a>
<a id="foo">attr in closing tag</a>

<b>crap be gone</b> not bold<br/>
<b style=color:red;background:url("x.gif");/*="still.CSS*/ id="x" class="x">tricky</b> not bold

https://ideone.com/uAd5l

language:

Perl (perl 5.28.1)

created:

visibility:

public

Share or Embed source code

Discover > Sphere Engine API

The brand new service which powers Ideone!

Discover > IDE Widget

Widget for compiling and running the source code in a web browser!

Discover > Sphere Engine API

Discover > IDE Widget

Choose your language