Mercurial > genshi > mirror
diff ChangeLog @ 571:f0461dc3939a trunk
* Cleaned up the implementation of the `HTMLSanitizer`.
* The sanitizer now properly strips HTML comments.
author | cmlenz |
---|---|
date | Tue, 17 Jul 2007 10:42:29 +0000 |
parents | c17342ef9efb |
children | 3014f14fc83d |
line wrap: on
line diff
--- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,9 @@ ignored tags (ticket #132). * The HTML sanitizer now strips any CSS comments in style attributes, which could previously be used to hide malicious property values. + * The HTML sanitizer now also removes any HTML comments encountered, as those + may be used to hide malicious payloads targetting a certain "innovative" + browser that goes and interprets the content of specially prepared comments. * Attribute access in template expressions no longer silently ignores exceptions other than `AttributeError` raised in the attribute accessor.