Mercurial > genshi > genshi-test
diff ChangeLog @ 571:5815ad5f75a4
* Cleaned up the implementation of the `HTMLSanitizer`.
* The sanitizer now properly strips HTML comments.
author | cmlenz |
---|---|
date | Tue, 17 Jul 2007 10:42:29 +0000 |
parents | 4cbd8031ed76 |
children | 15a1137ecfd7 |
line wrap: on
line diff
--- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,9 @@ ignored tags (ticket #132). * The HTML sanitizer now strips any CSS comments in style attributes, which could previously be used to hide malicious property values. + * The HTML sanitizer now also removes any HTML comments encountered, as those + may be used to hide malicious payloads targetting a certain "innovative" + browser that goes and interprets the content of specially prepared comments. * Attribute access in template expressions no longer silently ignores exceptions other than `AttributeError` raised in the attribute accessor.