I noticed that the XML module does not allow relative URL's when
sanitize is set to true. I would think that local urls would be
helpful to allow as the web2py URL function produces relative urls.
It would only make sense to allow relative links. I found a case where
html links generated from url function and stored in the db would
later be removed when passed through an XML with sanitize on.
Searching into the issue I found that this is because the XssCleaner
in web2py.gluon.sanitizer has a method url_is_acceptable which only
allows absolute urls.
Here is a patch that allows relative urls.
diff --git a/gluon/sanitizer.py b/gluon/sanitizer.py
--- a/gluon/sanitizer.py
+++ b/gluon/sanitizer.py
@@ -151,11 +151,12 @@
def url_is_acceptable(self, url):
"""
- Requires all URLs to be \"absolute.\"
+ Accepts relative and absolute urls
"""
parsed = urlparse(url)
- return parsed[0] in self.allowed_schemes and '.' in parsed[1]
+ return (parsed[0] in ['http', 'https', 'ftp'] and '.' in
parsed[1]) \
+ or (parsed[0] == '' and parsed[2][0:1]=='/')
def strip(self, rawstring, escape=True):
"""
