On Jul 22, 2010, at 7:41 PM, mr.freeze wrote:
> Negative, it sanitizes those too:
>>>> XML('<a href="web2py.com">test</a>',sanitize=True,permitted_tags =
>>>> ['a']).xml()
> 'test'
Only absolute URLs are acceptable. Try http://web2py.com.
>
> On Jul 22, 9:38 pm, Jonathan Lundell <[email protected]> wrote:
>> On Jul 22, 2010, at 7:04 PM, mr.freeze wrote:
>>
>>>>>> XML('<b>test</b>',sanitize=True,permitted_tags = ['b']).xml()
>>> '<b>test</b>'
>>>>>> XML('<a>test</a>',sanitize=True,permitted_tags = ['a']).xml()
>>> 'test'
>>
>>> Why does the 'a' element get sanitized?
>>
>> At first glance, it looks like it might require an attribute from
>> allowed_attributes. Does it work if you give it an href or a title?
>>
>> Turning off allowed_attributes won't fix it, I think, because of this:
>>
>> if bt == '<a' or bt == '<img':
>> return
>>
>> Seems unfortunate to have those tags hard-coded.
