Browse files

fix bug 801046: Strip HTML comments from rendered wiki content

  • Loading branch information...
1 parent da61c71 commit ddd05121b238a87f8be6b8979f66b20dca934b6f @lmorchard lmorchard committed Mar 26, 2013
Showing with 16 additions and 2 deletions.
  1. +1 −2 apps/wiki/models.py
  2. +15 −0 apps/wiki/tests/test_content.py
View
3 apps/wiki/models.py
@@ -374,8 +374,7 @@ def clean_content(self, content_in, use_constance_bleach_whitelists=False):
styles = ALLOWED_STYLES
out = bleach.clean(out, attributes=attributes, tags=tags,
- styles=styles, strip_comments=False,
- skip_gauntlet=True)
+ styles=styles, skip_gauntlet=True)
return out
def get_by_natural_key(self, locale, slug):
View
15 apps/wiki/tests/test_content.py
@@ -777,6 +777,21 @@ def test_allowed_attributes(self):
eq_(html_str, bleach.clean(html_str, attributes=ALLOWED_ATTRIBUTES,
tags=ALLOWED_TAGS))
+ def test_stripped_ie_comment(self):
+ """bug 801046: strip IE conditional comments"""
+ content = """
+ <p>Hi there.</p>
+ <!--[if]><script>alert(1)</script -->
+ <!--[if<img src=x onerror=alert(2)//]> -->
+ <p>Goodbye</p>
+ """
+ expected = """
+ <p>Hi there.</p>
+ <p>Goodbye</p>
+ """
+ result = Document.objects.clean_content(content)
+ eq_(normalize_html(expected), normalize_html(result))
+
class GetSEODescriptionTests(TestCase):

0 comments on commit ddd0512

Please sign in to comment.