File tree Expand file tree Collapse file tree 2 files changed +16
-1
lines changed Expand file tree Collapse file tree 2 files changed +16
-1
lines changed Original file line number Diff line number Diff line change @@ -87,7 +87,13 @@ def check_attributes(self, attrs):
8787 attr_names = set ([x [0 ] for x in attrs ])
8888
8989 if len (attr_names - self .allowed_attributes ):
90- raise DisallowedAttribute ("Attributes '{}' are not allowed" .format (", " .join (attr_names )))
90+ raise DisallowedAttribute ("Attributes '{}' are not allowed" .format (", " .join (attr_names - self .allowed_attributes )))
91+
92+ for link_attr in "href" , "src" :
93+ if link_attr in attr_names :
94+ for attr , val in attrs :
95+ if attr == link_attr and val .startswith ("javascript:" ):
96+ raise DisallowedAttribute ("Attributes launching JavaScript are not allowed" )
9197
9298 def handle_starttag (self , tag , attrs ):
9399 if tag not in self .allowed_elements :
Original file line number Diff line number Diff line change @@ -28,6 +28,15 @@ def test_allow_attributes():
2828 """<div class='test' onhover="alert('XSS')"><a href='/courses/'>Text</a></div>"""
2929 )
3030
31+ with pytest .raises (naucse .validation .DisallowedElement ):
32+ allowed_elements .reset_and_feed (
33+ """<div class='test'><span style='color: red'><a href="javascript:alert('XSS')">Text</a></span></div>"""
34+ )
35+
36+ with pytest .raises (naucse .validation .DisallowedElement ):
37+ allowed_elements .reset_and_feed (
38+ """<div class='test' onhover="alert('XSS')"><img src="javascript:alert('XSS')" /></div>"""
39+ )
3140
3241def test_allowed_styles ():
3342 allowed_elements = naucse .validation .AllowedElementsParser ()
You can’t perform that action at this time.
0 commit comments