html sanitizer doesn't strip unsafe uri schemes

pombreda / feedparser

Automatically exported from code.google.com/p/feedparser

Other

0 stars 0 forks source link

html sanitizer doesn't strip unsafe uri schemes #255

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago


... Another 'sanitisation' issue :/ :
If I had the following inside a 'html' content tag:
&lt;a href="javascript:alert(1)"&gt;

It will end up like this:
<a href="javascript:alert(1)">

Original issue reported on code.google.com by db.pub.m...@gmail.com on 18 Feb 2011 at 11:59

GoogleCodeExporter commented 9 years ago

Great catch! This should be a simple fix, and I expect I can create a patch 
sometime tomorrow evening. I should be able to merge the patches into svn trunk 
later this weekend as well.

Original comment by kurtmckee on 19 Feb 2011 at 8:26

Changed title: html sanitizer doesn't strip unsafe uri schemes
Changed state: Accepted
Added labels: Type-Defect, Component-Parser

GoogleCodeExporter commented 9 years ago

This is fixed in revision 374.

Original comment by kurtmckee on 20 Feb 2011 at 8:52

Changed state: Fixed

GoogleCodeExporter commented 9 years ago

ggdfgf

Original comment by *jeinnoc...@caribbeancallingcenter.com on 12 Aug 2011 at 6:32