Ok, now I really don't get it.
This code:
<iframe width="560" height="349"
src="http://www.youtube.com/embed/uARLUg3QIvo?rel=0";
frameborder="0"
allowfullscreen>
<script>evil</script>
becomes this by default (which is ok):
<iframe width="560" height="349"
src="http://www.youtube.com/embed/uARLUg3QIvo?rel=0"; frameborder="0"
allowfullscreen="">
<script>evil</script>
And then when I allow iframe as element:
class HTMLSanitizerMixin(sanitizer.HTMLSanitizerMixin):
acceptable_elements = ['a', 'abbr', 'acronym', 'address', 'area', 'b',
'big', 'blockquote', 'br', 'button', 'caption', 'center', 'cite',
'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dir', 'div', 'dl',
'dt',
'em', 'fieldset', 'font', 'form', 'h1', 'h2', 'h3', 'h4', 'h5',
'h6',
'hr', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li',
'map',
'menu', 'ol', 'optgroup', 'option', 'p', 'pre', 'q', 's', 'samp',
'select', 'small', 'span', 'strike', 'strong', 'sub', 'sup',
'table',
'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', 'tr', 'tt', 'u',
'ul', 'var', 'iframe']
allowed_elements = acceptable_elements
it gives me this:
<iframe height="349"
src="http://www.youtube.com/embed/uARLUg3QIvo?rel=0"; width="560">
<script>evil</script>
</iframe>
Why didn't it escape <script>?
Thank you.
--
You received this message because you are subscribed to the Google Groups
"html5lib-discuss" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/html5lib-discuss/-/VTVnSDgtQnVHVllK.
To post to this group, send an email to html5lib-discuss@googlegroups.com.
To unsubscribe from this group, send email to
html5lib-discuss+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/html5lib-discuss?hl=en-GB.
