Mercurial > genshi > mirror
changeset 556:0d98569eaced trunk
The HTML sanitizer now strips any CSS comments in style attributes, which could previously be used to hide malicious property values.
author | cmlenz |
---|---|
date | Tue, 03 Jul 2007 20:29:07 +0000 |
parents | 489a47873950 |
children | da4d817dc225 |
files | ChangeLog genshi/filters/html.py genshi/filters/tests/html.py |
diffstat | 3 files changed, 12 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,8 @@ it is not available for use through configuration files. * The I18n filter now extracts messages from gettext functions even inside ignored tags (ticket #132). + * The HTML sanitizer now strips any CSS comments in style attributes, which + could previously be used to hide malicious property values. Version 0.4.2
--- a/genshi/filters/html.py +++ b/genshi/filters/html.py @@ -285,7 +285,9 @@ elif attr == 'style': # Remove dangerous CSS declarations from inline styles decls = [] - value = self._replace_unicode_escapes(value) + value = self._strip_css_comments( + self._replace_unicode_escapes(value) + ) for decl in filter(None, value.split(';')): is_evil = False if 'expression' in decl: @@ -322,3 +324,8 @@ def _repl(match): return unichr(int(match.group(1), 16)) return self._UNICODE_ESCAPE(_repl, self._NORMALIZE_NEWLINES('\n', text)) + + _CSS_COMMENTS = re.compile(r'/\*.*?\*/').sub + + def _strip_css_comments(self, text): + return self._CSS_COMMENTS('', text)
--- a/genshi/filters/tests/html.py +++ b/genshi/filters/tests/html.py @@ -332,6 +332,8 @@ # IE expressions in CSS not allowed html = HTML('<DIV STYLE=\'width: expression(alert("foo"));\'>') self.assertEquals(u'<div/>', unicode(html | sanitizer)) + html = HTML('<DIV STYLE=\'width: e/**/xpression(alert("foo"));\'>') + self.assertEquals(u'<div/>', unicode(html | sanitizer)) html = HTML('<DIV STYLE=\'background: url(javascript:alert("foo"));' 'color: #fff\'>') self.assertEquals(u'<div style="color: #fff"/>',