Name

mod-html-filter — format of mod-html-filter component configuration

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the mod-html-filter component configuration.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in mod-html-filter configuration directives:

accept-deny (name-usage obligatory)

Specifies whether a particular part of a document should be accepted (kept in the document) or denied (deleted from the document).

accept, deny

ITEMS AND SECTIONS

Configuration of mod-html-filter library component consists of following prototypes:


* filter-spec ... ;
* html-filter name { ... }
    

Description:

filter-spec action val;

Various instances of this prototype item (e.g., script-tag-language) control deleting some parts of the document. If no item is present, nothing is deleted. If at least one item is present, the first one with matching VAL determines the result according to its ACTION. If no item matches, the respective part of the document is deleted.

action (type: accept-deny)

val (type: str-set)

html-filter name {


* script-tag-language ... ;
  replace-head-script-tags ... ;
  replace-body-script-tags ... ;
* style-tag-type ... ;
  replace-style-tags ... ;
* iframe-tag-src ... ;
  replace-iframe-tags ... ;
* intrinsic-language ... ;
* intrinsic-hack ... ;
  replace-intrinsic ... ;
* macro-language ... ;
* macro-hack ... ;
  replace-macros ... ;
* uri ... ;
  replace-uri ... ;
* embed-tag-type ... ;
* embed-src-hack ... ;
* embed-plugin-hack ... ;
  replace-head-embed-tags ... ;
  replace-body-embed-tags ... ;
* applet ... ;
  replace-applets ... ;
* object ... ;
* object-classid-hack ... ;
* object-data-hack ... ;
  replace-head-object-tags ... ;
  replace-body-object-tags ... ;
* param-tags ... ;
  replace-param ... ;
  script-end-hack ... ;
}

        

Settings of HTML filtration.

Items & subsections:

script-tag-language action val;

Controls deleting <SCRIPT> elements. If this item is not present, all scripts are preserved. If at least one item is present, the first one with matching VAL determines the result according to its ACTION. If no item matches, the script is deleted. A script with unspecified language is matched by the empty string. According to HTML definition, each <SCRIPT> tag should contain attribute TYPE which defines the scripting language. Instead of TYPE, (deprecated) attribute LANGUAGE can be used. If both TYPE and LANGUAGE are present, http-proxy makes its decisions according to TYPE (as browsers usually do). A script without a specification of scripting language is a HTML error, but browsers often treat such scripts as JavaScript.

action (type: accept-deny)

val (type: str-set)

replace-head-script-tags val;

Replacement text for deleted scripts in <HEAD>.

val (type: str)

replace-body-script-tags val;

Replacement text for deleted scripts. in <BODY>.

val (type: str)

style-tag-type action val;

Controls deleting <STYLE> elements. Matching is done like in SCRIPT-TAG-LANGUAGE. The empty string matches an unknown type (missing TYPE attribute).

action (type: accept-deny)

val (type: str-set)

replace-style-tags val;

Replacement text for deleted <STYLE> elements.

val (type: str)

iframe-tag-src action val;

Controls deleting <IFRAME> elements.

action (type: accept-deny)

val (type: str-set)

replace-iframe-tags val;

Replacement text for deleted <IFRAME> elements.

val (type: str)

intrinsic-language action val;

Controls deleting intrinsic events according to scripting language. Like SCRIPT-TAG-LANGUAGE, but controls deleting attributes defining intrinsic event scripts (e.g., ONCLICK attribute in HTML). Scripting language is defined by Content-Script-Type HTTP header (or an equivalent <META> HTML tag). Occurrence of an intrinsic event in a document without scripting language definition is a HTML error, but browsers treat such scripts as JavaScript. Such an intrinsic event with undefined scripting language is matched by the empty string.

action (type: accept-deny)

val (type: str-set)

intrinsic-hack action val;

Controls deleting intrinsic events according to attribute value. If both INTRINSIC-LANGUAGE and INTRINSIC-HACK are used then being denied by one of the directives suffices for an intrinsic attribute to be deleted.

action (type: accept-deny)

val (type: str-set)

replace-intrinsic val;

Replacement of deleted intrinsic events.

val (type: str)

macro-language action val;

Controls deleting script macros according to scripting language. Like SCRIPT-TAG-LANGUAGE, but controls deleting attributes with script macros in HTML attribute values (ATTR_NAME="...&{SCRIPT};..."). Scripting language is defined by Content-Script-Type HTTP header (or an equivalent <META> HTML tag). Occurrence of an intrinsic event in a document without scripting language definition (matched by the empty string) is a HTML error, but browsers treat such scripts as JavaScript.

action (type: accept-deny)

val (type: str-set)

macro-hack action val;

Controls deleting script macros according to attribute value. Like INTRINSIC-HACK, but controls deleting attributes with script macros in attribute values. If both MACRO-LANGUAGE and MACRO-HACK are used then being denied by one of the directives suffices for an attribute with a script macro to be deleted.

action (type: accept-deny)

val (type: str-set)

replace-macros val;

Replacement of script macros.

val (type: str)

uri action val;

Controls deleting URI-valued attributes. Matching is done like in SCRIPT-TAG-LANGUAGE. The following attributes are considered as URI-valued: ACTION, ARCHIVE, BACKGROUND, CITE, CLASSID, CODE, CODEBASE, DATA, HREF, LONGDESC, PROFILE, SRC, USEMAP. Before matching an URI, it is always combined with the base URI of the document. Therefore, the HREF attribute in <BASE> is never deleted, because it defines the base URI for other relative URIs. Note that if something looks like an URI with unknown scheme (e.g., foo://foo_srv/), browsers often assume that it is server name and translate it to "http://foo:80//foo_srv/".

action (type: accept-deny)

val (type: str-set)

replace-uri val;

Replacement of deleted URI-valued attributes.

val (type: str)

embed-tag-type action val;

Controls deleting <EMBED> elements according to type. Matching is done like in SCRIPT-TAG-LANGUAGE. Arguments of this directive are matched with attributes TYPE, LANG, and LANGUAGE of an <EMBED>. If more than one of these attributes are present, the element is not deleted only if all match. Unknown type is matched by the empty string.

action (type: accept-deny)

val (type: str-set)

embed-src-hack action val;

Controls deleting <EMBED> elements according to SRC attribute. Matching is done like in SCRIPT-TAG-LANGUAGE. The value of the attribute is compared to the set of allowed sources from this directive. Comparison is performed as for ALLOWED-URI, i.e., the value of SRC is combined with the base URI of the document.

action (type: accept-deny)

val (type: str-set)

embed-plugin-hack action val;

Controls deleting <EMBED> elements according to PLUGINSPAGE attribute. Matching is done like in SCRIPT-TAG-LANGUAGE.

action (type: accept-deny)

val (type: str-set)

replace-head-embed-tags val;

Replacement of deleted embeds in <HEAD>.

val (type: str)

replace-body-embed-tags val;

Replacement of deleted embeds in <BODY>.

val (type: str)

applet action val;

Controls deleting Java applets (elements <APPLET>) according to code location - attributes CODE, OBJECT. Both attributes CODE and OBJECT must pass the test in order to ACCEPT <APPLET> in the document, but matching one of them suffices to DENY. Matching is done like in ALLOWED-URI. If a base URI is specified for a particular <APPLET> element by its CODEBASE attribute, it takes precedence over a document-wide base URI. If CODEBASE is relative, it is combined with the document-wide base URI first.

action (type: accept-deny)

val (type: str-set)

replace-applets val;

Replacement of deleted applets.

val (type: str)

object action val;

Controls deleting <OBJECT> elements according to their types given by attributes TYPE and CODETYPE. Matching is done like in SCRIPT-TAG-LANGUAGE. Arguments of this directive are matched with attributes TYPE and CODETYPE of an <OBJECT>. If both these attributes are present, matching both is required to ACCEPT the object, but matching one of them suffices for DENY. If none of them is present, the empty string matches.

action (type: accept-deny)

val (type: str-set)

object-classid-hack action val;

Controls deleting <OBJECT> elements according to class-id - attribute CLASSID. The value of the attribute is compared to the list of allowed class-id's from this directive. Comparison is performed as for ALLOWED-URI, i.e., the value of CLASSID is combined with the base URI. If a base URI is specified for a particular <OBJECT> element by its CODEBASE attribute, it takes precedence over a document-wide base URI. If CODEBASE is relative, it is combined with the document-wide base URI first.

action (type: accept-deny)

val (type: str-set)

object-data-hack action val;

Controls deleting <OBJECT> elements according to data location - attribute DATA. The value of the attribute is compared to the list of allowed locations from this directive. Comparison is performed as for ALLOWED-URI, i.e., the value of DATA is combined with the base URI. If a base URI is specified for a particular <OBJECT> element by its CODEBASE attribute, it takes precedence over a document-wide base URI.

action (type: accept-deny)

val (type: str-set)

replace-head-object-tags val;

Replacement of deleted objects in <HEAD>.

val (type: str)

replace-body-object-tags val;

Replacement of deleted objects in <BODY>.

val (type: str)

param-tags action name value;

Controls deleting <PARAM> tags according to their attributes NAME and VALUE. If this item is not present, all <PARAM> tags are preserved. If at least one item is present, the first one with matching both NAME and VALUE determines the result according to its ACTION. If no item matches, the tag is deleted.

action (type: accept-deny)

name (type: str-set)

value (type: str-set)

replace-param val;

Replacement of deleted <PARAM> tags.

val (type: str)

script-end-hack;

How <SCRIPT> and <STYLE> elements are terminated. If Off, scripts in SCRIPT elements and content of STYLE elements end at the first occurrence of "</" followed by letter (according to HTML 4.0 Specification). If set, scripts end only at </SCRIPT> or </STYLE> tag, respectively, which is how scripts are usually treated by browsers.

[End of section html-filter description.]

SEE ALSO

configuration(7)