On Jul 22, 2010, at 10:07 PM, mr.freeze wrote: > That works. Thanks.
I think perhaps sanitizer could use some work. A bare <a> is harmless enough. And <a name="something"> ought to be OK. > > On Jul 22, 11:23 pm, Jonathan Lundell <[email protected]> wrote: >> On Jul 22, 2010, at 7:41 PM, mr.freeze wrote: >> >>> Negative, it sanitizes those too: >>>>>> XML('<a href="web2py.com">test</a>',sanitize=True,permitted_tags = >>>>>> ['a']).xml() >>> 'test' >> >> Only absolute URLs are acceptable. Tryhttp://web2py.com. >> >> >> >>> On Jul 22, 9:38 pm, Jonathan Lundell <[email protected]> wrote: >>>> On Jul 22, 2010, at 7:04 PM, mr.freeze wrote: >> >>>>>>>> XML('<b>test</b>',sanitize=True,permitted_tags = ['b']).xml() >>>>> '<b>test</b>' >>>>>>>> XML('<a>test</a>',sanitize=True,permitted_tags = ['a']).xml() >>>>> 'test' >> >>>>> Why does the 'a' element get sanitized? >> >>>> At first glance, it looks like it might require an attribute from >>>> allowed_attributes. Does it work if you give it an href or a title? >> >>>> Turning off allowed_attributes won't fix it, I think, because of this: >> >>>> if bt == '<a' or bt == '<img': >>>> return >> >>>> Seems unfortunate to have those tags hard-coded.
