[FIX] core: tools.html_sanitize: allow svg images
This commit is contained in:
parent
1a8569095e
commit
35233dbbe2
|
@ -54,6 +54,12 @@ safe_attrs = clean.defs.safe_attrs | frozenset(
|
||||||
])
|
])
|
||||||
|
|
||||||
|
|
||||||
|
class _Cleaner(clean.Cleaner):
|
||||||
|
def allow_element(self, el):
|
||||||
|
if el.tag == 'object' and el.get('type') == "image/svg+xml":
|
||||||
|
return True
|
||||||
|
return super(_Cleaner, self).allow_element(el)
|
||||||
|
|
||||||
def html_sanitize(src, silent=True, strict=False, strip_style=False):
|
def html_sanitize(src, silent=True, strict=False, strip_style=False):
|
||||||
if not src:
|
if not src:
|
||||||
return src
|
return src
|
||||||
|
@ -99,7 +105,7 @@ def html_sanitize(src, silent=True, strict=False, strip_style=False):
|
||||||
|
|
||||||
try:
|
try:
|
||||||
# some corner cases make the parser crash (such as <SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> in test_mail)
|
# some corner cases make the parser crash (such as <SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> in test_mail)
|
||||||
cleaner = clean.Cleaner(**kwargs)
|
cleaner = _Cleaner(**kwargs)
|
||||||
cleaned = cleaner.clean_html(src)
|
cleaned = cleaner.clean_html(src)
|
||||||
# MAKO compatibility: $, { and } inside quotes are escaped, preventing correct mako execution
|
# MAKO compatibility: $, { and } inside quotes are escaped, preventing correct mako execution
|
||||||
cleaned = cleaned.replace('%24', '$')
|
cleaned = cleaned.replace('%24', '$')
|
||||||
|
|
Loading…
Reference in New Issue