8000 Fix #153: Sanitizer fails to treat some attributes as URLs · dstufft/html5lib-python@a5efb0e · GitHub
[go: up one dir, main page]
Skip to content

Commit a5efb0e

Browse files
gsneddersgsnedders
committed
Fix html5lib#153: Sanitizer fails to treat some attributes as URLs
Despite how this sounds, this has no known security implications. No known version of IE (5.5 to current), Firefox ( 8000 3 to current), Safari (6 to current), Chrome (1 to current), or Opera (12 to current) will run any script provided in these attributes.
1 parent e3bedc5 commit a5efb0e

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

html5lib/sanitizer.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -115,8 +115,8 @@ class HTMLSanitizerMixin(object):
115115
'xml:base', 'xml:lang', 'xml:space', 'xmlns', 'xmlns:xlink', 'y',
116116
'y1', 'y2', 'zoomAndPan']
117117

118-
attr_val_is_uri = ['href', 'src', 'cite', 'action', 'longdesc', 'poster',
119-
'xlink:href', 'xml:base']
118+
attr_val_is_uri = ['href', 'src', 'cite', 'action', 'longdesc', 'poster', 'background', 'datasrc',
119+
'dynsrc', 'lowsrc', 'ping', 'poster', 'xlink:href', 'xml:base']
120120

121121
svg_attr_val_allows_ref = ['clip-path', 'color-profile', 'cursor', 'fill',
122122
'filter', 'marker', 'marker-start', 'marker-mid', 'marker-end',

0 commit comments

Comments
 (0)
0