Strip out meta tags with http-equiv attribute if

http header is not allowed like "content-type". git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@36540 20353a03-c40f-0410-a6d1-a30d3c3de9de

Strip out meta tags with http-equiv attribute if
http header is not allowed like "content-type". git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@36540 20353a03-c40f-0410-a6d1-a30d3c3de9de
302fcc1a · Nicolas Delaby · aae52915 · 302fcc1a
Commit 302fcc1a authored Jun 23, 2010 by Nicolas Delaby
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 0 deletions

product/PortalTransforms/transforms/safe_html.py product/PortalTransforms/transforms/safe_html.py +14 -0

No files found.
--- a/product/PortalTransforms/transforms/safe_html.py
+++ b/product/PortalTransforms/transforms/safe_html.py
@@ -73,6 +73,15 @@ msg_pat = """
 %s</d>
 """

+# we inconditionally remove all meta tags with http-equiv
+# except for content-type, because:
+# * refresh can redirect;
+# * set-cookie expose confidential data;
+# * www-authenticate can disturb authentication on portal;
+# * expires can disbale caching features
+# * ...
+ALLOWED_HTTP_EQUIV_VALUE_LIST = ('content-type',)
+
 def hasScript(s):
   """
   >>> hasScript('script:evil(1);')
@@ -172,6 +181,11 @@ class StrippingParser(HTMLParser):
        """
        if self.suppress: return

+        if tag.lower() == 'meta':
+          for k, v in attrs:
+            if k.lower() == 'http-equiv' and v.lower() not in\
+                                                 ALLOWED_HTTP_EQUIV_VALUE_LIST:
+              return
        if self.valid.has_key(tag):
            self.result.append('<' + tag)