Limited number of protocols whitelisted by default and added document…

…ation.
DataDog · Feb 29, 2016 · 303359e · 303359e
1 parent d5b87f9
commit 303359e
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/bleach/__init__.py b/bleach/__init__.py
@@ -1,7 +1,6 @@
 # -*- coding: utf-8 -*-
 
 from __future__ import unicode_literals
-import copy
 import logging
 import re
 
@@ -44,7 +43,7 @@
 
 ALLOWED_STYLES = []
 
-ALLOWED_PROTOCOLS = copy.copy(HTMLSanitizer.acceptable_protocols)
+ALLOWED_PROTOCOLS = ['http', 'https', 'mailto']
 
 TLDS = """ac ad ae aero af ag ai al am an ao aq ar arpa as asia at au aw ax az
        ba bb bd be bf bg bh bi biz bj bm bn bo br bs bt bv bw by bz ca cat

diff --git a/docs/clean.rst b/docs/clean.rst
@@ -92,6 +92,21 @@ For example, to allow users to set the color and font-weight of text::
     cleaned_text = bleach.clean(text, tags, attrs, styles)
 
 
+Protocol Whitelist
+==================
+
+If you allow tags that have attributes containing a URI value (like the ``href``
+attribute of an anchor tag, you may want to adapt the accepted protocols. The
+default list only allows ``http``, ``https`` and ``mailto``.
+
+For example, to allow the smb protocol as well::
+
+    >>> html = '<a href="smb://more_text">allowed protocol</a>'
+
+    >>> bleach.clean(html, protocols=['http', 'https', 'mailto', 'smb'])
+    u'<a href="smb://more_text">allowed protocol</a>'
+
+
 Stripping Markup
 ================