Fix #153: Sanitizer fails to treat some attributes as URLs

gsnedders · gsnedders · commit a5efb0e15835 · 2015-04-29T18:27:35.000+01:00
Despite how this sounds, this has no known security implications.
No known version of IE (5.5 to current), Firefox (3 to current),
Safari (6 to current), Chrome (1 to current), or Opera (12 to current)
will run any script provided in these attributes.
diff --git a/html5lib/sanitizer.py b/html5lib/sanitizer.py
@@ -115,8 +115,8 @@ class HTMLSanitizerMixin(object):
                       'xml:base', 'xml:lang', 'xml:space', 'xmlns', 'xmlns:xlink', 'y',
                       'y1', 'y2', 'zoomAndPan']
 
-    attr_val_is_uri = ['href', 'src', 'cite', 'action', 'longdesc', 'poster',
-                       'xlink:href', 'xml:base']
+    attr_val_is_uri = ['href', 'src', 'cite', 'action', 'longdesc', 'poster', 'background', 'datasrc',
+                       'dynsrc', 'lowsrc', 'ping', 'poster', 'xlink:href', 'xml:base']
 
     svg_attr_val_allows_ref = ['clip-path', 'color-profile', 'cursor', 'fill',
                                'filter', 'marker', 'marker-start', 'marker-mid', 'marker-end',
