+1
2010/11/24 Jlew <[email protected]>: > Here is a fixed one putting the allowed schemes again. > > diff --git a/gluon/sanitizer.py b/gluon/sanitizer.py > --- a/gluon/sanitizer.py > +++ b/gluon/sanitizer.py > @@ -151,11 +151,12 @@ > def url_is_acceptable(self, url): > """ > - Requires all URLs to be \"absolute.\" > + Accepts relative and absolute urls > """ > parsed = urlparse(url) > - return parsed[0] in self.allowed_schemes and '.' in > parsed[1] > + return (parsed[0] in self.allowed_schemes and '.' in > parsed[1]) \ > + or (parsed[0] == '' and parsed[2][0:1]=='/') > def strip(self, rawstring, escape=True): > """ > > On Nov 23, 11:57 pm, Jlew <[email protected]> wrote: >> I noticed that the XML module does not allow relative URL's when >> sanitize is set to true. I would think that local urls would be >> helpful to allow as the web2py URL function produces relative urls. >> It would only make sense to allow relative links. I found a case where >> html links generated from url function and stored in the db would >> later be removed when passed through an XML with sanitize on. >> >> Searching into the issue I found that this is because the XssCleaner >> in web2py.gluon.sanitizer has a method url_is_acceptable which only >> allows absolute urls. >> >> Here is a patch that allows relative urls. >> >> diff --git a/gluon/sanitizer.py b/gluon/sanitizer.py >> --- a/gluon/sanitizer.py >> +++ b/gluon/sanitizer.py >> @@ -151,11 +151,12 @@ >> >> def url_is_acceptable(self, url): >> """ >> - Requires all URLs to be \"absolute.\" >> + Accepts relative and absolute urls >> """ >> >> parsed = urlparse(url) >> - return parsed[0] in self.allowed_schemes and '.' in parsed[1] >> + return (parsed[0] in ['http', 'https', 'ftp'] and '.' in >> parsed[1]) \ >> + or (parsed[0] == '' and parsed[2][0:1]=='/') >> >> def strip(self, rawstring, escape=True): >> """
