Mercurial > genshi > genshi-test

diff genshi/filters/tests/html.py @ 556:d5cb5c200045

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
The HTML sanitizer now strips any CSS comments in style attributes, which could previously be used to hide malicious property values.
author cmlenz
date Tue, 03 Jul 2007 20:29:07 +0000
parents 90f5908cd10a
children 5815ad5f75a4 f0bb2c5ea0ff
line wrap: on
line diff
--- a/genshi/filters/tests/html.py
+++ b/genshi/filters/tests/html.py
@@ -332,6 +332,8 @@
         # IE expressions in CSS not allowed
         html = HTML('<DIV STYLE=\'width: expression(alert("foo"));\'>')
         self.assertEquals(u'<div/>', unicode(html | sanitizer))
+        html = HTML('<DIV STYLE=\'width: e/**/xpression(alert("foo"));\'>')
+        self.assertEquals(u'<div/>', unicode(html | sanitizer))
         html = HTML('<DIV STYLE=\'background: url(javascript:alert("foo"));'
                                  'color: #fff\'>')
         self.assertEquals(u'<div style="color: #fff"/>',
Copyright (C) 2012-2017 Edgewall Software