debian/0000755000000000000000000000000013367076066007204 5ustar debian/changelog0000644000000000000000000000574713367076066011073 0ustar libhtml-scrubber-perl (0.11-1+deb8u1build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian -- Mike Salvatore Fri, 02 Nov 2018 12:32:54 -0400 libhtml-scrubber-perl (0.11-1+deb8u1) jessie; urgency=medium * [SECURITY] CVE-2015-5667: Backport upstream patch fixing a cross-site scripting vulnerability in comments. (Closes: #803943) -- Niko Tyni Sun, 15 Nov 2015 21:07:33 +0200 libhtml-scrubber-perl (0.11-1) unstable; urgency=low * Team upload. [ Ansgar Burchardt ] * debian/control: Convert Vcs-* fields to Git. [ gregor herrmann ] * debian/control: update {versioned,alternative} (build) dependencies. [ Salvatore Bonaccorso ] * Change search.cpan.org based URIs to metacpan.org based URIs [ Axel Beckert ] * debian/copyright: migrate pre-1.0 format to 1.0 using "cme fix dpkg- copyright" [ gregor herrmann ] * New upstream release. * Update upstream copyright holders/years. * Update build dependencies (Module::Build). * Bump debhelper compatibility level to 8. * Declare compliance with Debian Policy 3.9.4. -- gregor herrmann Tue, 22 Oct 2013 19:19:03 +0200 libhtml-scrubber-perl (0.09-1) unstable; urgency=low [ gregor herrmann ] * debian/control: Added: Vcs-Svn field (source stanza); Vcs-Browser field (source stanza); Homepage field (source stanza). Removed: XS- Vcs-Svn fields. * debian/watch: use dist-based URL. * debian/control: Added: ${misc:Depends} to Depends: field. [ Nathan Handler ] * debian/watch: Update to ignore development releases. [ Salvatore Bonaccorso ] * debian/control: Changed: Replace versioned (build-)dependency on perl (>= 5.6.0-{12,16}) with an unversioned dependency on perl (as permitted by Debian Policy 3.8.3). [ Nicholas Bamber ] * Added myself to Uploaders * New upstream release (Closes: #409672) * Added debian/source/format * Standardized watch file * Updated standards version to 3.9.2 * Depersonalized long description * Refreshed copyright * Refreshed rules and upped debhelper versioned dependency * Updated dependencies -- Nicholas Bamber Fri, 15 Apr 2011 13:01:31 +0100 libhtml-scrubber-perl (0.08-4) unstable; urgency=low * New maintainer. * Update debian/copyright. * Upgrade to debhelper compatibility level 5. -- Niko Tyni Mon, 4 Dec 2006 23:34:10 +0200 libhtml-scrubber-perl (0.08-3) unstable; urgency=low * Moved debhelper to Build-Depends * Switched to my debian.org email address throughout -- Stephen Quinney Wed, 21 Jun 2006 18:44:20 +0100 libhtml-scrubber-perl (0.08-2) unstable; urgency=low * debian/watch - Updated URL to stop lookups randomly failing. -- Stephen Quinney Sat, 11 Jun 2005 14:17:10 +0100 libhtml-scrubber-perl (0.08-1) unstable; urgency=low * Inital release, closes: #256642. -- Stephen Quinney Fri, 2 Jul 2004 11:46:04 +0100 debian/compat0000644000000000000000000000000212622165764010377 0ustar 8 debian/rules0000755000000000000000000000003612622153110010236 0ustar #!/usr/bin/make -f %: dh $@ debian/patches/0000755000000000000000000000000012622165764010630 5ustar debian/patches/series0000644000000000000000000000005012622154363012031 0ustar 0001-Test-and-fix-for-JVN53973084.patch debian/patches/0001-Test-and-fix-for-JVN53973084.patch0000644000000000000000000000370512622165764016565 0ustar From 3f871371cf40baf37981bc829036d4a444e20124 Mon Sep 17 00:00:00 2001 From: Nigel Metheringham Date: Sat, 10 Oct 2015 15:01:14 +0100 Subject: [PATCH] Test and fix for JVN53973084 Malformed tags can pass through as comments. Thus comments are now only passed through if they are well formed - currently defined as matching a regular expression. Origin: backport, https://github.com/nigelm/html-scrubber/commit/e1978cc37867e85c06a84a4651745235010cd6cd Bug-Debian: https://bugs.debian.org/803943 --- lib/HTML/Scrubber.pm | 6 +++++- t/jvn53973084.t | 21 +++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 t/jvn53973084.t diff --git a/lib/HTML/Scrubber.pm b/lib/HTML/Scrubber.pm index e8ee4ba..e7c1d42 100644 --- a/lib/HTML/Scrubber.pm +++ b/lib/HTML/Scrubber.pm @@ -284,7 +284,11 @@ sub _scrub_str { } } elsif ( $e eq 'comment' ) { - $outstr .= $text if $s->{_comment}; + if ( $s->{_comment} ) { + + # only copy comments through if they are well formed... + $outstr .= $text if ( $text =~ m|^$|ms ); + } } elsif ( $e eq 'process' ) { $outstr .= $text if $s->{_process}; diff --git a/t/jvn53973084.t b/t/jvn53973084.t new file mode 100644 index 0000000..7767609 --- /dev/null +++ b/t/jvn53973084.t @@ -0,0 +1,21 @@ +# Tests related to JVN53973084 + +use strict; +use warnings; +use Test::More; + +use_ok('HTML::Scrubber'); + +my @allow = qw[ + hr +]; + +my $html_1 = q[
abc]; +my $html_2 = q[new( allow => \@allow, comment => $comment_value ); + is( $scrubber->scrub($html_1), '
abc', "correct result (1) - with comment => $comment_value" ); + is( $scrubber->scrub($html_2), '', "correct result (2) - with comment => $comment_value" ); +} + +done_testing; -- 2.6.2 debian/control0000644000000000000000000000223712622165764010610 0ustar Source: libhtml-scrubber-perl Maintainer: Debian Perl Group Uploaders: Niko Tyni , Nicholas Bamber Section: perl Priority: optional Build-Depends: debhelper (>= 8), perl (>= 5.11.4) | libmodule-build-perl (>= 0.360100), perl Build-Depends-Indep: libhtml-parser-perl, perl (>= 5.11.1) | libtest-simple-perl (>= 0.94) Standards-Version: 3.9.4 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libhtml-scrubber-perl.git Vcs-Git: git://anonscm.debian.org/pkg-perl/packages/libhtml-scrubber-perl.git Homepage: https://metacpan.org/release/HTML-Scrubber/ Package: libhtml-scrubber-perl Architecture: all Depends: ${misc:Depends}, ${perl:Depends}, libhtml-parser-perl Description: Perl extension for scrubbing/sanitizing html If you want to "scrub" or "sanitize" html input in a reliable and flexible fashion, then this module is for you. The author was not satisfied with HTML::Sanitizer because it is based on HTML::TreeBuilder, so he write something similar that works directly with HTML::Parser. debian/source/0000755000000000000000000000000012622153110010457 5ustar debian/source/format0000644000000000000000000000001412622153110011665 0ustar 3.0 (quilt) debian/copyright0000644000000000000000000000227512622165764011142 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: HTML-Scrubber Upstream-Contact: Nigel Metheringham Source: https://metacpan.org/release/HTML-Scrubber/ Files: * Copyright: 2003-2004, D. H. 2011-2013, Nigel Metheringham 2013, Ruslan Zakirov License: Artistic or GPL-1+ Files: debian/* Copyright: 2004-2006, Stephen Quinney 2006, Niko Tyni 2011, Nicholas Bamber License: Artistic or GPL-1+ License: Artistic This program is free software; you can redistribute it and/or modify it under the terms of the Artistic License, which comes with Perl. . On Debian systems, the complete text of the Artistic License can be found in `/usr/share/common-licenses/Artistic'. License: GPL-1+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 1, or (at your option) any later version. . On Debian systems, the complete text of version 1 of the GNU General Public License can be found in `/usr/share/common-licenses/GPL-1'. debian/watch0000644000000000000000000000016712622165764010236 0ustar version=3 https://metacpan.org/release/HTML-Scrubber/ .*/HTML-Scrubber-v?(\d[\d.]+)\.(?:tar(?:\.gz|\.bz2)?|tgz|zip)