weixin_39954889
weixin_39954889
2020-12-02 05:05

Double Angle Brackets defeat bleach

If I attempt to bleach.clean(..., attributes=[], tags=[], styles=[]) this string:


<<how the grinch stole christmas>>
</how>

I get:


<<how the="" grinch="" stole="" christmas="">>
</how>

It seems like the empty whitelist for attributes is being ignored for the inner <...>?

Thanks!

该提问来源于开源项目:mozilla/bleach

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

9条回答

  • weixin_39971172 weixin_39971172 5月前

    I can't reproduce this. I get this:

    
    Python 2.7.12 (default, Nov 19 2016, 06:48:10) 
    [GCC 5.4.0 20160609] on linux2
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import bleach
    >>> bleach.clean('<<how the grinch stole christmas>>')
    u'<<how the="" grinch="" stole="" christmas="">>'
    >>> bleach.clean('<<how the grinch stole christmas>>', attributes=[], tags=[], styles=[])
    u'<<how the="" grinch="" stole="" christmas="">>'
    >>> 
    </how></how>

    That's with Python 2.7.12, bleach 1.5, and html5lib 0.9999999 (7 9s).

    What're you using?

    点赞 评论 复制链接分享
  • weixin_39954889 weixin_39954889 5月前

    I'm using Python 2.7.11, but would expect:

    u'<<How The Grinch Stole Christmas >>'

    点赞 评论 复制链接分享
  • weixin_39971172 weixin_39971172 5月前

    What version of bleach and html5lib are you using?

    Also, why would you expect the angle brackets to not get escaped?

    点赞 评论 复制链接分享
  • weixin_39954889 weixin_39954889 5月前

    bleach (1.5.0)

    html5lib (0.9999999)

    Actually you’re correct, I’d expect both the inner and outer angle brackets to be escaped, sorry!

    On Jan 6, 2017, at 10:03 PM, Will Kahn-Greene wrote:

    What version of bleach and html5lib are you using?

    Also, why would you expect the angle brackets to not get escaped?

    — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/bleach/issues/245#issuecomment-271058397, or mute the thread https://github.com/notifications/unsubscribe-auth/ACg7by2dxz6X74e3F0YDaXY1vzTgAZNKks5rPwBygaJpZM4LdSXX.

    点赞 评论 复制链接分享
  • weixin_39971172 weixin_39971172 5月前

    Ok... So it seems like everything is fine except that you'd rather the words in the <<...>> weren't getting converted into a foo="" form. Is that right?

    点赞 评论 复制链接分享
  • weixin_39954889 weixin_39954889 5月前

    Yes, that’s the issue, I don't expect the foo=“” form.

    On Jan 6, 2017, at 10:07 PM, Will Kahn-Greene wrote:

    Ok... So it seems like everything is fine except that you'd rather the words in the <<...>> weren't getting converted into a foo="" form. Is that right?

    — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/bleach/issues/245#issuecomment-271058633, or mute the thread https://github.com/notifications/unsubscribe-auth/ACg7b6r1GuSY4O0jLbjrF8nr2KCnVRngks5rPwGKgaJpZM4LdSXX.

    点赞 评论 复制链接分享
  • weixin_39971172 weixin_39971172 5月前

    Ok. That seems like it's covered in part by issue #157. It's possible a future version of html5lib fixes this, but I haven't tested that out.

    In the meantime, I'm going to close this out in favor of #157 because I think if that gets solved, it'll cover this, too.

    点赞 评论 复制链接分享
  • weixin_39954889 weixin_39954889 5月前

    Tried the following:

    --(2214:Fri,06 Jan 17:$)-- pip install html5lib --upgrade Collecting html5lib Using cached html5lib-0.999999999-py2.py3-none-any.whl Requirement already up-to-date: six in ./Virtualenvs/fyndit/lib/python2.7/site-packages (from html5lib) Requirement already up-to-date: webencodings in ./Virtualenvs/fyndit/lib/python2.7/site-packages (from html5lib) Collecting setuptools>=18.5 (from html5lib) Using cached setuptools-32.3.1-py2.py3-none-any.whl Installing collected packages: setuptools, html5lib Found existing installation: setuptools 32.1.0 Not uninstalling setuptools at /usr/local/lib/python2.7/site-packages, outside environment /Users/michael/Virtualenvs/fyndit/bin/.. Found existing installation: html5lib 0.9999999 Uninstalling html5lib-0.9999999: Successfully uninstalled html5lib-0.9999999 Successfully installed html5lib-0.999999999 setuptools-32.3.1 (fyndit)--(michael-2016)-(/Users/michael)-- --(2214:Fri,06 Jan 17:$)-- pip install bleach --upgrade Requirement already up-to-date: bleach in ./Virtualenvs/fyndit/lib/python2.7/site-packages Requirement already up-to-date: six in ./Virtualenvs/fyndit/lib/python2.7/site-packages (from bleach) Collecting html5lib!=0.9999,!=0.99999,<0.99999999,>=0.999 (from bleach) Installing collected packages: html5lib Found existing installation: html5lib 0.999999999 Uninstalling html5lib-0.999999999: Successfully uninstalled html5lib-0.999999999 Successfully installed html5lib-0.9999999 (fyndit)--(michael-2016)-(/Users/michael)-- --(2214:Fri,06 Jan 17:$)-- python Python 2.7.11 (default, Jan 22 2016, 08:29:18) [GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] on darwin Type "help", "copyright", "credits" or "license" for more information.

    import bleach bleach.clean('<>', attributes=[], tags=[], styles=[]) u'<<how the="" grinch="" stole="" christmas="">>'

    On Jan 6, 2017, at 10:10 PM, Will Kahn-Greene wrote:

    Closed #245 https://github.com/mozilla/bleach/issues/245.

    — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/bleach/issues/245#event-914842065, or mute the thread https://github.com/notifications/unsubscribe-auth/ACg7b753ApP95iIXF8TZKa7TrwJmqBEKks5rPwJCgaJpZM4LdSXX.

    点赞 评论 复制链接分享
  • weixin_39954889 weixin_39954889 5月前

    Sorry, should have read more carefully. Will wait for #157. '

    On Jan 6, 2017, at 10:10 PM, Will Kahn-Greene wrote:

    Ok. That seems like it's covered in part by issue #157 https://github.com/mozilla/bleach/issues/157. It's possible a future version of html5lib fixes this, but I haven't tested that out.

    In the meantime, I'm going to close this out in favor of #157 https://github.com/mozilla/bleach/issues/157 because I think if that gets solved, it'll cover this, too.

    — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/bleach/issues/245#issuecomment-271058798, or mute the thread https://github.com/notifications/unsubscribe-auth/ACg7b753ApP95iIXF8TZKa7TrwJmqBEKks5rPwJCgaJpZM4LdSXX.

    点赞 评论 复制链接分享

相关推荐