Thank you Jlew. I am in favor of this. Can anybody see any reason for not accepting relative URLs?
Massimo On Nov 23, 10:57 pm, Jlew <[email protected]> wrote: > I noticed that the XML module does not allow relative URL's when > sanitize is set to true. I would think that local urls would be > helpful to allow as the web2py URL function produces relative urls. > It would only make sense to allow relative links. I found a case where > html links generated from url function and stored in the db would > later be removed when passed through an XML with sanitize on. > > Searching into the issue I found that this is because the XssCleaner > in web2py.gluon.sanitizer has a method url_is_acceptable which only > allows absolute urls. > > Here is a patch that allows relative urls. > > diff --git a/gluon/sanitizer.py b/gluon/sanitizer.py > --- a/gluon/sanitizer.py > +++ b/gluon/sanitizer.py > @@ -151,11 +151,12 @@ > > def url_is_acceptable(self, url): > """ > - Requires all URLs to be \"absolute.\" > + Accepts relative and absolute urls > """ > > parsed = urlparse(url) > - return parsed[0] in self.allowed_schemes and '.' in parsed[1] > + return (parsed[0] in ['http', 'https', 'ftp'] and '.' in > parsed[1]) \ > + or (parsed[0] == '' and parsed[2][0:1]=='/') > > def strip(self, rawstring, escape=True): > """
