File feedparser-issue255-CVE-2011-1158.patch of Package python-feedparser.import4444
Index: feedparser-4.1/tests/wellformed/sanitize/feed_title_unacceptable_uri.xml
===================================================================
--- /dev/null
+++ feedparser-4.1/tests/wellformed/sanitize/feed_title_unacceptable_uri.xml
@@ -0,0 +1,7 @@
+<!--
+Description: anchor href contains unacceptable uri scheme
+Expect: not bozo and feed['title'] == u'<a href="">safe</a>'
+-->
+<feed xmlns="http://www.w3.org/2005/Atom">
+ <title type="html"><a href="javascript:alert(1)">safe</a></title>
+</feed>
Index: feedparser-4.1/feedparser.py
===================================================================
--- feedparser-4.1.orig/feedparser.py
+++ feedparser-4.1/feedparser.py
@@ -1626,9 +1626,19 @@ class _HTMLSanitizer(_BaseHTMLProcessor)
if tag in self.unacceptable_elements_with_end_tag:
self.unacceptablestack += 1
return
- attrs = self.normalize_attrs(attrs)
- attrs = [(key, value) for key, value in attrs if key in self.acceptable_attributes]
- _BaseHTMLProcessor.unknown_starttag(self, tag, attrs)
+
+ clean_attrs = []
+ for key, value in self.normalize_attrs(attrs):
+ if key in self.acceptable_attributes:
+ key=keymap.get(key,key)
+ # make sure the uri uses an acceptable uri scheme
+ if key == u'href':
+ value = _makeSafeAbsoluteURI(value)
+ clean_attrs.append((key,value))
+ elif key=='style':
+ clean_value = self.sanitize_style(value)
+ if clean_value: clean_attrs.append((key,clean_value))
+ _BaseHTMLProcessor.unknown_starttag(self, tag, clean_attrs)
def unknown_endtag(self, tag):
if not tag in self.acceptable_elements: