Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 70fe97b

Browse filesBrowse files
gsneddersgsnedders
committed
Fix #188: the sanitizer should sanitize given a bogus data URL.
1 parent 428cafa commit 70fe97b
Copy full SHA for 70fe97b

File tree

3 files changed

+20
-1
lines changed
Filter options

3 files changed

+20
-1
lines changed

‎CHANGES.rst

Copy file name to clipboardExpand all lines: CHANGES.rst
+9Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,15 @@
11
Change Log
22
----------
33

4+
0.9999.1/1.0b5.1
5+
~~~~~~~~~~~~~~~~
6+
7+
Released on April 30, 2015
8+
9+
* Fix #188: fix the sanitizer to not throw an exception when sanitizing
10+
bogus data URLs.
11+
12+
413
0.9999/1.0b5
514
~~~~~~~~~~~~
615

‎html5lib/sanitizer.py

Copy file name to clipboardExpand all lines: html5lib/sanitizer.py
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -215,7 +215,7 @@ def allowed_token(self, token, token_type):
215215
m = content_type_rgx.match(uri.path)
216216
if not m:
217217
del attrs[attr]
218-
if m.group('content_type') not in self.allowed_content_types:
218+
elif m.group('content_type') not in self.allowed_content_types:
219219
del attrs[attr]
220220

221221
for attr in self.svg_attr_val_allows_ref:

‎html5lib/tests/test_sanitizer.py

Copy file name to clipboardExpand all lines: html5lib/tests/test_sanitizer.py
+10Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,16 @@ def test_sanitizer():
104104
"""<img src="%s:%s">foo</a>""" % (protocol, rest_of_uri),
105105
toxml)
106106

107+
yield (runSanitizerTest, "test_invalid_data_uri",
108+
"<audio controls=\"\"></audio>",
109+
"<audio controls=\"\" src=\"data:foobar\"></audio>",
110+
toxml)
111+
112+
yield (runSanitizerTest, "test_data_uri_disallowed_type",
113+
"<audio controls=\"\"></audio>",
114+
"<audio controls=\"\" src=\"data:text/html,<html>\"></audio>",
115+
toxml)
116+
107117
for protocol in sanitizer.HTMLSanitizer.allowed_protocols:
108118
rest_of_uri = '//sub.domain.tld/path/object.ext'
109119
if protocol == 'data':

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.