[Erp5-report] r36540 nicolas - /erp5/trunk/products/PortalTransforms/transforms/safe_html.py
nobody at svn.erp5.org
nobody at svn.erp5.org
Wed Jun 23 15:48:25 CEST 2010
Author: nicolas
Date: Wed Jun 23 15:48:25 2010
New Revision: 36540
URL: http://svn.erp5.org?rev=36540&view=rev
Log:
Strip out meta tags with http-equiv attribute if
http header is not allowed like "content-type".
Modified:
erp5/trunk/products/PortalTransforms/transforms/safe_html.py
Modified: erp5/trunk/products/PortalTransforms/transforms/safe_html.py
URL: http://svn.erp5.org/erp5/trunk/products/PortalTransforms/transforms/safe_html.py?rev=36540&r1=36539&r2=36540&view=diff
==============================================================================
--- erp5/trunk/products/PortalTransforms/transforms/safe_html.py [utf8] (original)
+++ erp5/trunk/products/PortalTransforms/transforms/safe_html.py [utf8] Wed Jun 23 15:48:25 2010
@@ -73,6 +73,15 @@ msg_pat = """
%s</d>
"""
+# we inconditionally remove all meta tags with http-equiv
+# except for content-type, because:
+# * refresh can redirect;
+# * set-cookie expose confidential data;
+# * www-authenticate can disturb authentication on portal;
+# * expires can disbale caching features
+# * ...
+ALLOWED_HTTP_EQUIV_VALUE_LIST = ('content-type',)
+
def hasScript(s):
"""
>>> hasScript('script:evil(1);')
@@ -172,6 +181,11 @@ class StrippingParser(HTMLParser):
"""
if self.suppress: return
+ if tag.lower() == 'meta':
+ for k, v in attrs:
+ if k.lower() == 'http-equiv' and v.lower() not in\
+ ALLOWED_HTTP_EQUIV_VALUE_LIST:
+ return
if self.valid.has_key(tag):
self.result.append('<' + tag)
More information about the Erp5-report
mailing list