File feedparser-issue255-CVE-2011-1158.patch of Package python-feedparser.import4630

Overview Repositories Revisions Requests Users Attributes Meta

File feedparser-issue255-CVE-2011-1158.patch of Package python-feedparser.import4630

Index: feedparser-4.1/tests/wellformed/sanitize/feed_title_unacceptable_uri.xml
===================================================================
--- /dev/null
+++ feedparser-4.1/tests/wellformed/sanitize/feed_title_unacceptable_uri.xml
@@ -0,0 +1,7 @@
+
+<feed xmlns="http://www.w3.org/2005/Atom">
+  <title type="html">&lt;a href="javascript:alert(1)"&gt;safe&lt;/a&gt;</title>
+</feed>
Index: feedparser-4.1/feedparser.py
===================================================================
--- feedparser-4.1.orig/feedparser.py
+++ feedparser-4.1/feedparser.py
@@ -1626,9 +1626,19 @@ class _HTMLSanitizer(_BaseHTMLProcessor)
             if tag in self.unacceptable_elements_with_end_tag:
                 self.unacceptablestack += 1
             return
-        attrs = self.normalize_attrs(attrs)
-        attrs = [(key, value) for key, value in attrs if key in self.acceptable_attributes]
-        _BaseHTMLProcessor.unknown_starttag(self, tag, attrs)
+        
+        clean_attrs = []
+        for key, value in self.normalize_attrs(attrs):
+            if key in self.acceptable_attributes:
+                key=keymap.get(key,key)
+                # make sure the uri uses an acceptable uri scheme
+                if key == u'href':
+                    value = _makeSafeAbsoluteURI(value)
+                clean_attrs.append((key,value))
+            elif key=='style':
+                clean_value = self.sanitize_style(value)
+                if clean_value: clean_attrs.append((key,clean_value))
+        _BaseHTMLProcessor.unknown_starttag(self, tag, clean_attrs)
         
     def unknown_endtag(self, tag):
         if not tag in self.acceptable_elements:

Places

File feedparser-issue255-CVE-2011-1158.patch of Package python-feedparser.import4630

Places