odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[FIX] core: tools.html_sanitize: allow svg images

This commit is contained in:
Christophe Simonis 2015-09-11 16:42:47 +02:00
parent 1a8569095e
commit 35233dbbe2
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
openerp/tools/mail.py
View File

@ -54,6 +54,12 @@ safe_attrs = clean.defs.safe_attrs | frozenset(
])
class _Cleaner(clean.Cleaner):
def allow_element(self, el):
if el.tag == 'object' and el.get('type') == "image/svg+xml":
return True
return super(_Cleaner, self).allow_element(el)
def html_sanitize(src, silent=True, strict=False, strip_style=False):
if not src:
return src
@ -99,7 +105,7 @@ def html_sanitize(src, silent=True, strict=False, strip_style=False):
try:
# some corner cases make the parser crash (such as <SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> in test_mail)
cleaner = clean.Cleaner(**kwargs)
cleaner = _Cleaner(**kwargs)
cleaned = cleaner.clean_html(src)
# MAKO compatibility: $, { and } inside quotes are escaped, preventing correct mako execution
cleaned = cleaned.replace('%24', '$')