CommentCleaner letting nasty JS through #1

Closed
cjw296 opened this Issue Apr 27, 2011 · 0 comments

Comments

Projects
None yet
2 participants
@cjw296

cjw296 commented Apr 27, 2011

from htmllaundry import sanitize
from htmllaundry.cleaners import CommentCleaner
from testfixtures import compare
from unittest import TestCase

def safe_html(text):
    return sanitize(text,CommentCleaner)

class TestSafeHTML(TestCase):
   def test_evil(self):
        # XXX - looks like htmllaundry doesn't sanitize!
        compare(
            '<strong><a href="javascript:alert(" rel="nofollow" target="_blank">out</a></strong>',
            safe_html(
                '<strong hello</strong><a href="javascript:alert("evil")">out</a>')
            )

@ghost ghost assigned wichert Apr 27, 2011

@wichert wichert closed this in 66fd59a Apr 27, 2011

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment