Mercurial > genshi > genshi-test
diff genshi/filters/tests/html.py @ 556:d5cb5c200045
The HTML sanitizer now strips any CSS comments in style attributes, which could previously be used to hide malicious property values.
author | cmlenz |
---|---|
date | Tue, 03 Jul 2007 20:29:07 +0000 |
parents | 90f5908cd10a |
children | 5815ad5f75a4 f0bb2c5ea0ff |
line wrap: on
line diff
--- a/genshi/filters/tests/html.py +++ b/genshi/filters/tests/html.py @@ -332,6 +332,8 @@ # IE expressions in CSS not allowed html = HTML('<DIV STYLE=\'width: expression(alert("foo"));\'>') self.assertEquals(u'<div/>', unicode(html | sanitizer)) + html = HTML('<DIV STYLE=\'width: e/**/xpression(alert("foo"));\'>') + self.assertEquals(u'<div/>', unicode(html | sanitizer)) html = HTML('<DIV STYLE=\'background: url(javascript:alert("foo"));' 'color: #fff\'>') self.assertEquals(u'<div style="color: #fff"/>',