odoo
/
odoo
2
0
Fork 0
Code Pull Requests Releases Activity

[REV] Reverted last commit. 

bzr revid: tde@openerp.com-20140113165423-8nu3838d4yj3h3j4
This commit is contained in:
Thibault Delavallée 2014-01-13 17:54:23 +01:00
parent 94357739bc
commit fe0af74eab
1 changed files with 5 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
openerp/tools/mail.py
View File

@ -45,14 +45,10 @@ tags_to_remove = ['html', 'body', 'font']
# allow new semantic HTML5 tags
allowed_tags = clean.defs.tags | frozenset('article section header footer hgroup nav aside figure main'.split())
safe_attrs = clean.defs.safe_attrs | frozenset(
['style',
'data-oe-model', 'data-oe-id', 'data-oe-field', 'data-oe-type', 'data-oe-expression', 'data-oe-translate', 'data-oe-nodeid',
'data-snippet-id', 'data-publish', 'data-id', 'data-res_id', 'data-member_id', 'data-view-id'
])
safe_attrs = clean.defs.safe_attrs | frozenset(['style'])
def html_sanitize(src, silent=True, strict=False):
def html_sanitize(src, silent=True):
if not src:
return src
src = ustr(src, errors='replace')
@ -66,18 +62,11 @@ def html_sanitize(src, silent=True, strict=False):
kwargs = {
'page_structure': True,
'style': False, # do not remove style attributes
'frames': False, # de not remove frames (embbed video in CMS blogs)
'forms': True, # remove form tags
'remove_unknown_tags': False,
'allow_tags': allowed_tags,
}
if strict and etree.LXML_VERSION >= (3, 1, 0): # lxml < 3.1.0 does not allow to specify safe_attrs; however we always want to keep style
kwargs['safe_attrs_only'] = False
kwargs['safe_attrs_only'] = True
kwargs['safe_attrs'] = safe_attrs
else:
kwargs['frames'] = False, # do not remove frames (embbed video in CMS blogs)
kwargs['safe_attrs_only'] = False, # keep oe-data attributes + style
if etree.LXML_VERSION >= (2, 3, 1):
# kill_tags attribute has been added in version 2.3.1
kwargs.update({
@ -87,6 +76,8 @@ def html_sanitize(src, silent=True, strict=False):
else:
kwargs['remove_tags'] = tags_to_kill + tags_to_remove
kwargs['safe_attrs_only'] = False
try:
# some corner cases make the parser crash (such as <SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> in test_mail)
cleaner = clean.Cleaner(**kwargs)