From f3af2a1999985d44f10f392747e7fe2bfe7a51da Mon Sep 17 00:00:00 2001 From: mdipierro Date: Fri, 15 Mar 2013 10:17:33 -0500 Subject: [PATCH] fixed issue 1382, sanitizer accepts mailto, thanks lightdot --- VERSION | 2 +- gluon/sanitizer.py | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/VERSION b/VERSION index edb52496..0e5ce3a1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -Version 2.4.4-stable+timestamp.2013.03.15.10.13.48 +Version 2.4.4-stable+timestamp.2013.03.15.10.16.45 diff --git a/gluon/sanitizer.py b/gluon/sanitizer.py index b291ee5b..18fbfd3f 100644 --- a/gluon/sanitizer.py +++ b/gluon/sanitizer.py @@ -66,7 +66,7 @@ class XssCleaner(HTMLParser): # The only schemes allowed in URLs (for href and src attributes). # Adding "javascript" or "vbscript" to this list would not be smart. - self.allowed_schemes = ['http', 'https', 'ftp'] + self.allowed_schemes = ['http', 'https', 'ftp', 'mailto'] #to strip or escape disallowed tags? self.strip_disallowed = strip_disallowed @@ -151,11 +151,12 @@ class XssCleaner(HTMLParser): def url_is_acceptable(self, url): """ - Accepts relative and absolute urls + Accepts relative, absolute, and mailto urls """ parsed = urlparse(url) return (parsed[0] in self.allowed_schemes and '.' in parsed[1]) \ + or (parsed[0] in self.allowed_schemes and '@' in parsed[2]) \ or (parsed[0] == '' and parsed[2].startswith('/')) def strip(self, rawstring, escape=True):