From b2401a5923727f478c70c7c0d8d5ff8c41fcdbdc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonel=20C=C3=A2mara?= <leonelcamara@gmail.com>
Date: Sat, 18 Oct 2014 12:37:32 +0100
Subject: [PATCH 1/2] Fix for sanitize('&#x27;') returning '&amp;#x27;' instead
 of '&#x27;'

---
 gluon/sanitizer.py | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/gluon/sanitizer.py b/gluon/sanitizer.py
index a85b256a..5bd46625 100644
--- a/gluon/sanitizer.py
+++ b/gluon/sanitizer.py
@@ -10,8 +10,7 @@ Cross-site scripting (XSS) defense
 -----------------------------------
 """
 
-
-from htmllib import HTMLParser
+from HTMLParser import HTMLParser
 from cgi import escape
 from urlparse import urlparse
 from formatter import AbstractFormatter
@@ -48,11 +47,10 @@ class XssCleaner(HTMLParser):
         ],
         allowed_attributes={'a': ['href', 'title'], 'img': ['src', 'alt'
                                                             ], 'blockquote': ['type']},
-        fmt=AbstractFormatter,
         strip_disallowed=False
     ):
 
-        HTMLParser.__init__(self, fmt)
+        HTMLParser.__init__(self)
         self.result = ''
         self.open_tags = []
         self.permitted_tags = [i for i in permitted_tags if i[-1] != '/']
@@ -77,7 +75,7 @@ class XssCleaner(HTMLParser):
     def handle_charref(self, ref):
         if self.in_disallowed:
             return
-        elif len(ref) < 7 and ref.isdigit():
+        elif len(ref) < 7 and (ref.isdigit() or ref == 'x27'): # x27 is a special case for apostrophe
             self.result += '&#%s;' % ref
         else:
             self.result += xssescape('&#%s' % ref)

From f10b1b93a9414a8ddeb7f2591b5b5eb9c6aaf9cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonel=20C=C3=A2mara?= <leonelcamara@gmail.com>
Date: Sat, 18 Oct 2014 13:05:27 +0100
Subject: [PATCH 2/2] fixed remaining methods in HTMLParser that were still
 using the old htmllib.HTMLParser interface

---
 gluon/sanitizer.py | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/gluon/sanitizer.py b/gluon/sanitizer.py
index 5bd46625..728c4bee 100644
--- a/gluon/sanitizer.py
+++ b/gluon/sanitizer.py
@@ -97,8 +97,7 @@ class XssCleaner(HTMLParser):
     def handle_starttag(
         self,
         tag,
-        method,
-        attrs,
+        attrs
     ):
         if tag not in self.permitted_tags:
             if self.strip_disallowed:
@@ -128,7 +127,7 @@ class XssCleaner(HTMLParser):
             self.result += bt
             self.open_tags.insert(0, tag)
 
-    def handle_endtag(self, tag, attrs):
+    def handle_endtag(self, tag):
         bracketed = '</%s>' % tag
         if tag not in self.permitted_tags:
             if self.strip_disallowed:
@@ -139,12 +138,6 @@ class XssCleaner(HTMLParser):
             self.result += bracketed
             self.open_tags.remove(tag)
 
-    def unknown_starttag(self, tag, attributes):
-        self.handle_starttag(tag, None, attributes)
-
-    def unknown_endtag(self, tag):
-        self.handle_endtag(tag, None)
-
     def url_is_acceptable(self, url):
         """
         Accepts relative, absolute, and mailto urls