uploading to trunk.
On Nov 23, 11:10 pm, Jlew <[email protected]> wrote: > Here is a fixed one putting the allowed schemes again. > > diff --git a/gluon/sanitizer.py b/gluon/sanitizer.py > --- a/gluon/sanitizer.py > +++ b/gluon/sanitizer.py > @@ -151,11 +151,12 @@ > def url_is_acceptable(self, url): > """ > - Requires all URLs to be \"absolute.\" > + Accepts relative and absolute urls > """ > parsed = urlparse(url) > - return parsed[0] in self.allowed_schemes and '.' in > parsed[1] > + return (parsed[0] in self.allowed_schemes and '.' in > parsed[1]) \ > + or (parsed[0] == '' and parsed[2][0:1]=='/') > def strip(self, rawstring, escape=True): > """ > > On Nov 23, 11:57 pm, Jlew <[email protected]> wrote: > > > I noticed that the XML module does not allow relative URL's when > > sanitize is set to true. I would think that local urls would be > > helpful to allow as the web2py URL function produces relative urls. > > It would only make sense to allow relative links. I found a case where > > html links generated from url function and stored in the db would > > later be removed when passed through an XML with sanitize on. > > > Searching into the issue I found that this is because the XssCleaner > > in web2py.gluon.sanitizer has a method url_is_acceptable which only > > allows absolute urls. > > > Here is a patch that allows relative urls. > > > diff --git a/gluon/sanitizer.py b/gluon/sanitizer.py > > --- a/gluon/sanitizer.py > > +++ b/gluon/sanitizer.py > > @@ -151,11 +151,12 @@ > > > def url_is_acceptable(self, url): > > """ > > - Requires all URLs to be \"absolute.\" > > + Accepts relative and absolute urls > > """ > > > parsed = urlparse(url) > > - return parsed[0] in self.allowed_schemes and '.' in parsed[1] > > + return (parsed[0] in ['http', 'https', 'ftp'] and '.' in > > parsed[1]) \ > > + or (parsed[0] == '' and parsed[2][0:1]=='/') > > > def strip(self, rawstring, escape=True): > > """ > >
