CommentCleaner letting nasty JS through #1

Closed
cjw296 opened this Issue Apr 27, 2011 · 0 comments

Projects

None yet

2 participants

@cjw296
cjw296 commented Apr 27, 2011
from htmllaundry import sanitize
from htmllaundry.cleaners import CommentCleaner
from testfixtures import compare
from unittest import TestCase

def safe_html(text):
    return sanitize(text,CommentCleaner)

class TestSafeHTML(TestCase):
   def test_evil(self):
        # XXX - looks like htmllaundry doesn't sanitize!
        compare(
            '<strong><a href="javascript:alert(" rel="nofollow" target="_blank">out</a></strong>',
            safe_html(
                '<strong hello</strong><a href="javascript:alert("evil")">out</a>')
            )
@wichert wichert was assigned Apr 27, 2011
@wichert wichert closed this in 66fd59a Apr 27, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment