Fix #153: Sanitizer fails to treat some attributes as URLs

gsnedders · gsnedders · commit 67b570918539 · 2015-04-29T18:17:05.000+01:00
Despite how this sounds, this has no known security implications.
No known version of IE (5.5 to current), Firefox (3 to current),
Safari (6 to current), Chrome (1 to current), or Opera (12 to current)
will run any script provided in these attributes.
diff --git a/html5lib/sanitizer.py b/html5lib/sanitizer.py
@@ -115,8 +115,8 @@ class HTMLSanitizerMixin(object):
                       'xml:base', 'xml:lang', 'xml:space', 'xmlns', 'xmlns:xlink', 'y',
                       'y1', 'y2', 'zoomAndPan']
 
-    attr_val_is_uri = ['href', 'src', 'cite', 'action', 'longdesc', 'poster',
-                       'xlink:href', 'xml:base']
+    attr_val_is_uri = ['href', 'src', 'cite', 'action', 'longdesc', 'poster', 'background', 'datasrc',
+                       'dynsrc', 'lowsrc', 'ping', 'poster' 'xlink:href', 'xml:base']
 
     svg_attr_val_allows_ref = ['clip-path', 'color-profile', 'cursor', 'fill',
                                'filter', 'marker', 'marker-start', 'marker-mid', 'marker-end',
