Commit 302fcc1a authored by Nicolas Delaby's avatar Nicolas Delaby

Strip out meta tags with http-equiv attribute if

http header is not allowed like "content-type".


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@36540 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent aae52915
...@@ -73,6 +73,15 @@ msg_pat = """ ...@@ -73,6 +73,15 @@ msg_pat = """
%s</d> %s</d>
""" """
# we inconditionally remove all meta tags with http-equiv
# except for content-type, because:
# * refresh can redirect;
# * set-cookie expose confidential data;
# * www-authenticate can disturb authentication on portal;
# * expires can disbale caching features
# * ...
ALLOWED_HTTP_EQUIV_VALUE_LIST = ('content-type',)
def hasScript(s): def hasScript(s):
""" """
>>> hasScript('script:evil(1);') >>> hasScript('script:evil(1);')
...@@ -172,6 +181,11 @@ class StrippingParser(HTMLParser): ...@@ -172,6 +181,11 @@ class StrippingParser(HTMLParser):
""" """
if self.suppress: return if self.suppress: return
if tag.lower() == 'meta':
for k, v in attrs:
if k.lower() == 'http-equiv' and v.lower() not in\
ALLOWED_HTTP_EQUIV_VALUE_LIST:
return
if self.valid.has_key(tag): if self.valid.has_key(tag):
self.result.append('<' + tag) self.result.append('<' + tag)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment