Here is a fixed one putting the allowed schemes again.
diff --git a/gluon/sanitizer.py b/gluon/sanitizer.py
--- a/gluon/sanitizer.py
+++ b/gluon/sanitizer.py
@@ -151,11 +151,12 @@
def url_is_acceptable(self, url):
"""
- Requires all URLs to be \"absolute.\"
+ Accepts relative and absolute urls
"""
parsed = urlparse(url)
- return parsed[0] in self.allowed_schemes and '.' in
parsed[1]
+ return (parsed[0] in self.allowed_schemes and '.' in
parsed[1]) \
+ or (parsed[0] == '' and parsed[2][0:1]=='/')
def strip(self, rawstring, escape=True):
"""
On Nov 23, 11:57 pm, Jlew <[email protected]> wrote:
> I noticed that the XML module does not allow relative URL's when
> sanitize is set to true. I would think that local urls would be
> helpful to allow as the web2py URL function produces relative urls.
> It would only make sense to allow relative links. I found a case where
> html links generated from url function and stored in the db would
> later be removed when passed through an XML with sanitize on.
>
> Searching into the issue I found that this is because the XssCleaner
> in web2py.gluon.sanitizer has a method url_is_acceptable which only
> allows absolute urls.
>
> Here is a patch that allows relative urls.
>
> diff --git a/gluon/sanitizer.py b/gluon/sanitizer.py
> --- a/gluon/sanitizer.py
> +++ b/gluon/sanitizer.py
> @@ -151,11 +151,12 @@
>
> def url_is_acceptable(self, url):
> """
> - Requires all URLs to be \"absolute.\"
> + Accepts relative and absolute urls
> """
>
> parsed = urlparse(url)
> - return parsed[0] in self.allowed_schemes and '.' in parsed[1]
> + return (parsed[0] in ['http', 'https', 'ftp'] and '.' in
> parsed[1]) \
> + or (parsed[0] == '' and parsed[2][0:1]=='/')
>
> def strip(self, rawstring, escape=True):
> """
