2 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/changeset/6ce661b68417/ changeset: 6ce661b68417 user: dannon date: 2011-12-06 14:01:06 summary: Small patch to sanitizer to remove javascript content from sanitized anchors. affected #: 1 file diff -r 35fee32991ce5463d79ce278cb3a9c1155e8982f -r 6ce661b68417f81727c0f23aa8fb5d2769a8c502 lib/galaxy/util/sanitize_html.py --- a/lib/galaxy/util/sanitize_html.py +++ b/lib/galaxy/util/sanitize_html.py @@ -373,7 +373,9 @@ clean_attrs = [] for key, value in self.normalize_attrs(attrs): - if key in acceptable_attributes: + if key=="href" and value.startswith("javascript"): + pass + elif key in acceptable_attributes: key=keymap.get(key,key) clean_attrs.append((key,value)) elif key=='style': @@ -436,4 +438,4 @@ p.feed(htmlSource) data = p.output() data = data.strip().replace('\r\n', '\n') - return data \ No newline at end of file + return data https://bitbucket.org/galaxy/galaxy-central/changeset/43326a266e8e/ changeset: 43326a266e8e user: dannon date: 2011-12-06 14:08:16 summary: Small tweak on patch, strip first to prevent whitespace loophole. affected #: 1 file diff -r 6ce661b68417f81727c0f23aa8fb5d2769a8c502 -r 43326a266e8eb5818c695c235df82a025a3b6893 lib/galaxy/util/sanitize_html.py --- a/lib/galaxy/util/sanitize_html.py +++ b/lib/galaxy/util/sanitize_html.py @@ -373,7 +373,7 @@ clean_attrs = [] for key, value in self.normalize_attrs(attrs): - if key=="href" and value.startswith("javascript"): + if key=="href" and value.strip().startswith("javascript"): pass elif key in acceptable_attributes: key=keymap.get(key,key) Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.