bsw/jbe@1309: function util.html_is_safe(str)
bsw/jbe@1309: 
bsw/jbe@1309:   -- All (ASCII) control characters except \t\n\f\r are forbidden:
bsw/jbe@1309:   if string.find(str, "[\0-\8\11\14-\31\127]") then
bsw/jbe@1309:     return false, "Invalid ASCII control character"
bsw/jbe@1309:   end
bsw/jbe@1309: 
bsw/jbe@1309:   -- Memorize expected closing tags:
bsw/jbe@1309:   local stack = {}
bsw/jbe@1309: 
bsw/jbe@1309:   -- State during parsing:
bsw/jbe@1309:   local para    = false  -- <p> tag open
bsw/jbe@1309:   local bold    = false  -- <b> tag open
bsw/jbe@1309:   local italic  = false  -- <i> tag open
bsw/jbe@1309:   local supsub  = false  -- <sup> or <sub> tag open
bsw/jbe@1309:   local link    = false  -- <a href="..."> tag open
bsw/jbe@1309:   local heading = false  -- <h1-6> tag open
bsw/jbe@1309:   local list    = false  -- <ol> or <ul> (but no corresponding <li>) tag open
bsw/jbe@1309:   local listelm = false  -- <li> tag (but no further <ol> or <ul> tag) open
bsw/jbe@1309: 
bsw/jbe@1309:   -- Function looped with tail-calls:
bsw/jbe@1309:   local function loop(str)
bsw/jbe@1309: 
bsw/jbe@1309:     -- NOTE: We do not allow non-escaped "<" or ">" in attributes,
bsw/jbe@1309:     --       even if HTML5 allows it.
bsw/jbe@1309: 
bsw/jbe@1309:     -- Find any "<" or ">" character and determine context, i.e.
bsw/jbe@1309:     -- pre = text before character, tag = text until closing ">", and rest:
bsw/jbe@1309:     local pre, tag, rest = string.match(str, "^(.-)([<>][^<>]*>?)(.*)")
bsw/jbe@1309: 
bsw/jbe@1309:     -- Disallow text content (except inter-element white-space) in <ol> or <ul>
bsw/jbe@1309:     -- when outside <li>:
bsw/jbe@1309:     if list and string.find(pre, "[^\t\n\f\r ]") then
bsw/jbe@1309:       return false, "Text content in list but outside list element"
bsw/jbe@1309:     end
bsw/jbe@1309: 
bsw/jbe@1309:     -- If no more "<" or ">" characters are found,
bsw/jbe@1309:     -- then return true if all tags have been closed:
bsw/jbe@1309:     if not tag then
bsw/jbe@1309:       if #stack == 0 then
bsw/jbe@1309:         return true
bsw/jbe@1309:       else
bsw/jbe@1309:         return false, "Not all tags have been closed"
bsw/jbe@1309:       end
bsw/jbe@1309:     end
bsw/jbe@1309: 
bsw/jbe@1309:     -- Handle (expected) closing tags:
bsw/jbe@1309:     local closed_tagname = string.match(tag, "^</(.-)[\t\n\f\r ]*>$")
bsw/jbe@1309:     if closed_tagname then
bsw/jbe@1309:       closed_tagname = string.lower(closed_tagname)
bsw/jbe@1309:       if closed_tagname ~= stack[#stack] then
bsw/jbe@1309:         return false, "Wrong closing tag"
bsw/jbe@1309:       end
bsw/jbe@1309:       if closed_tagname == "p" then
bsw/jbe@1309:         para = false
bsw/jbe@1309:       elseif closed_tagname == "b" then
bsw/jbe@1309:         bold = false
bsw/jbe@1309:       elseif closed_tagname == "i" then
bsw/jbe@1309:         italic = false
bsw/jbe@1309:       elseif closed_tagname == "sup" or closed_tagname == "sub" then
bsw/jbe@1309:         supsub = false
bsw/jbe@1309:       elseif closed_tagname == "a" then
bsw/jbe@1309:         link = false
bsw/jbe@1309:       elseif string.find(closed_tagname, "^h[1-6]$") then
bsw/jbe@1309:         heading = false
bsw/jbe@1309:       elseif closed_tagname == "ul" or closed_tagname == "ol" then
bsw/jbe@1309:         list = false
bsw/jbe@1309:       elseif closed_tagname == "li" then
bsw/jbe@1309:         listelm = false
bsw/jbe@1309:         list = true
bsw/jbe@1309:       end
bsw/jbe@1309:       stack[#stack] = nil
bsw/jbe@1309:       return loop(rest)
bsw/jbe@1309:     end
bsw/jbe@1309: 
bsw/jbe@1309:     -- Allow <br> tag as void tag:
bsw/jbe@1309:     if string.find(tag, "^<[Bb][Rr][\t\n\f\r ]*/?>$") then
bsw/jbe@1309:       return loop(rest)
bsw/jbe@1309:     end
bsw/jbe@1309: 
bsw/jbe@1309:     -- Parse opening tag:
bsw/jbe@1309:     local tagname, attrs = string.match(
bsw/jbe@1309:       tag,
bsw/jbe@1309:       "^<([^<>\0-\32]+)[\t\n\f\r ]*([^<>]-)[\t\n\f\r ]*>$"
bsw/jbe@1309:     )
bsw/jbe@1309: 
bsw/jbe@1309:     -- Return false if tag could not be parsed:
bsw/jbe@1309:     if not tagname then
bsw/jbe@1309:       return false, "Malformed tag"
bsw/jbe@1309:     end
bsw/jbe@1309: 
bsw/jbe@1309:     -- Make tagname lowercase:
bsw/jbe@1309:     tagname = string.lower(tagname)
bsw/jbe@1309: 
bsw/jbe@1309:     -- Append closing tag to list of expected closing tags:
bsw/jbe@1309:     stack[#stack+1] = tagname
bsw/jbe@1309: 
bsw/jbe@1309:     -- Allow <li> tag in proper context:
bsw/jbe@1309:     if tagname == "li" and attrs == "" then
bsw/jbe@1309:       if not list then
bsw/jbe@1309:         return false, "List element outside list"
bsw/jbe@1309:       end
bsw/jbe@1309:       list = false
bsw/jbe@1309:       listelm = true
bsw/jbe@1309:       return loop(rest)
bsw/jbe@1309:     end
bsw/jbe@1309: 
bsw/jbe@1309:     -- If there was no valid <li> tag but <ol> or <ul> is open,
bsw/jbe@1309:     -- then return false:
bsw/jbe@1309:     if list then
bsw/jbe@1309:       return false
bsw/jbe@1309:     end
bsw/jbe@1309: 
bsw/jbe@1309:     -- Allow <b>, <i>, <sup>, <sub> unless already open:
bsw/jbe@1309:     if tagname == "b" and attrs == "" then
bsw/jbe@1309:       if bold then
bsw/jbe@1309:         return false, "Bold inside bold tag"
bsw/jbe@1309:       end
bsw/jbe@1309:       bold = true
bsw/jbe@1309:       return loop(rest)
bsw/jbe@1309:     end
bsw/jbe@1309:     if tagname == "i" and attrs == "" then
bsw/jbe@1309:       if italic then
bsw/jbe@1309:         return false, "Italic inside italic tag"
bsw/jbe@1309:       end
bsw/jbe@1309:       italic = true
bsw/jbe@1309:       return loop(rest)
bsw/jbe@1309:     end
bsw/jbe@1309:     if (tagname == "sup" or tagname == "sub") and attrs == "" then
bsw/jbe@1309:       if supsub then
bsw/jbe@1309:         return false, "Super/subscript inside super/subscript tag"
bsw/jbe@1309:       end
bsw/jbe@1309:       supsub = true
bsw/jbe@1309:       return loop(rest)
bsw/jbe@1309:     end
bsw/jbe@1309: 
bsw/jbe@1309:     -- Allow <a href="..."> tag unless already open or malformed:
bsw/jbe@1309:     if tagname == "a" then
bsw/jbe@1309:       if link then
bsw/jbe@1309:         return false, "Link inside link"
bsw/jbe@1309:       end
bsw/jbe@1309:       local url = string.match(attrs, '^[Hh][Rr][Ee][Ff][\t\n\f\r ]*=[\t\n\f\r ]*"([^"]*)"$')
bsw/jbe@1309:       if not url then
bsw/jbe@1309:         url = string.match(attrs, "^[Hh][Rr][Ee][Ff][\t\n\f\r ]*=[\t\n\f\r ]*'([^']*)'$")
bsw/jbe@1309:       end
bsw/jbe@1309:       if not url then
bsw/jbe@1309:         url = string.match(attrs, "^[Hh][Rr][Ee][Ff][\t\n\f\r ]*=[\t\n\f\r ]*([^\0-\32\"'=<>`]+)$")
bsw/jbe@1309:       end
bsw/jbe@1309:       if not url then
bsw/jbe@1309:        return false, "Forbidden, missing, or malformed attributes in link tag"
bsw/jbe@1309:       end
bsw/jbe@1309:       if not string.find(url, "^[Hh][Tt][Tt][Pp][Ss]?://") then
bsw/jbe@1309:         return false, "Invalid link URL"
bsw/jbe@1309:       end
bsw/jbe@1309:       link = true
bsw/jbe@1309:       return loop(rest)
bsw/jbe@1309:     end
bsw/jbe@1309: 
bsw/jbe@1309:     -- Remaining tags require no open <p>, <b>, <i>, <sup>, <sub>,
bsw/jbe@1309:     -- <a href="...">, or <h1>..</h6> tag:
bsw/jbe@1309:     if para or bold or italic or supsub or link or heading then
bsw/jbe@1309:       return false, "Forbidden child tag within paragraph, bold, italic, super/subscript, link, or heading tag"
bsw/jbe@1309:     end
bsw/jbe@1309: 
bsw/jbe@1309:     -- Allow <p>:
bsw/jbe@1309:     if tagname == "p" and attrs == "" then
bsw/jbe@1309:       para = true
bsw/jbe@1309:       return loop(rest)
bsw/jbe@1309:     end
bsw/jbe@1309: 
bsw/jbe@1309:     -- Allow <h1>..<h6>:
bsw/jbe@1309:     if string.find(tagname, "^h[1-6]$") and attrs == "" then
bsw/jbe@1309:       heading = true
bsw/jbe@1309:       return loop(rest)
bsw/jbe@1309:     end
bsw/jbe@1309: 
bsw/jbe@1309:     -- Allow <ul> and <ol>:
bsw/jbe@1309:     if (tagname == "ul" or tagname == "ol") and attrs == "" then
bsw/jbe@1309:       list = true
bsw/jbe@1309:       return loop(rest)
bsw/jbe@1309:     end
bsw/jbe@1309: 
bsw/jbe@1309:     -- Disallow all others (including unexpected closing tags):
bsw/jbe@1309:     return false, "Forbidden tag or forbidden attributes"
bsw/jbe@1309: 
bsw/jbe@1309:   end
bsw/jbe@1309: 
bsw/jbe@1309:   -- Invoke tail-call loop:
bsw/jbe@1309:   return loop(str)
bsw/jbe@1309: 
bsw/jbe@1309: end