python - lxml cleaner to ignore base64 image -


i use lxml.html.clean remove untrusted input in html code. realised lxml removes data: tag in code. want insert image in base64 format (from database, have no file) need tag. instance take

from lxml.html.clean import cleaner cleaner = cleaner() cleaner.clean_html("""     <img src="http://test.com/img.png"/>     <img src="data:image/png;base64,agvsbg8="/> """)

the result '<span><img src="http://test.com/img.png"><img src=""></span>'. first image not escaped, second yes.

any idea how make accept base64 code without letting pass vulnerabilities ?

i able reproduce behavioral after installing lxml 3.1.0. here solution based on "monkey patching" - replacing lookup regex pattern in lxml.html.clean module exclude links has data:image/.*;base64 removal.

import re import lxml lxml.html.clean import cleaner new_pattern = '\s*(?:javascript:|jscript:|livescript:|vbscript:|data:[^(?:image/.+;base64)]+|about:|mocha:)'  print(new_pattern)  lxml.html.clean._javascript_scheme_re = re.compile(new_pattern, re.i)   cleaner = cleaner() dochtml = """     <img src="http://test.com/img.png"/>     <img src="data:image/png;base64,agvsbg8="/>     <img src="data:unsafe/contents;base64,agvsbg8="/>     <img src="data:text/html;base64,pgh0bww+phnjcmlwdcb0exblpsj0zxh0l2phdmfzy3jpchqipmfszxj0kc‌​doascppc9zy3jpchq+pc9odg1spg=="/> """ r = cleaner.clean_html(dochtml) print(r)

result

<span><img src="http://test.com/img.png">     <img src="data:image/png;base64,agvsbg8=">     <img src="">     <img src=""> </span>

the downside of - relies on internal variable name not announced in public interface cleaner. module developers change name of variable or improve version of regex.

to 1 safe side , create url handler on web server return image contents out of database id. in html doc <img src="http://myserver/showimg?id=123213">. involve adding lots of additional moving parts - having web server etc. won't work if undesirable whole world have access images.

old answer:

it should possible configure cleaner keep these tags, cannot reproduce case - works me. i'm using python 2.7.2 , lxml 2.2.8 win-32. please clarify python , lxml version have?

i tried run example , got second image tag contents not removed


Comments

Post a Comment

Popular posts from this blog

get url and add instance to a model with prefilled foreign key :django admin -

Image
i have page in each contest shown in row. each row contains contest id , link other model names have foreign key contest. news model: class news(models.model): title = models.charfield(max_length=50, null=true) description = models.textfield() time = models.timefield( default= datetime.datetime.now().time()) contest = models.foreignkey(contest) i want use admin adding , changing these models. want when user clicks on 'news' has foreign key contest id=1, shows list of news value foreign key. use {% instance in instances %} <tr class="{% cycle 'row1' 'row2' %}"> <td>{{ instance.title }}</td> <td>{{ instance.starttime }}</td> <td>{{ instance.timespan }}</td> <td>{{ instance.date }}</td> <td><a href="/adm...
Read more

android - Keyboard hides my half of edit-text and button below it even in scroll view -

i having trouble keyboard covers edit-text , half of button in scroll view. here's layout , please tell me how should resolve problem. many questions on topic none of them s working me. <?xml version="1.0" encoding="utf-8"?> <linearlayout xmlns:android="http://schemas.android.com/apk/res/android" android:layout_width="match_parent" android:background="@drawable/bg" android:layout_height="match_parent"> <scrollview android:layout_width="match_parent" android:fillviewport="true" android:layout_height="match_parent"> <relativelayout android:layout_width="match_parent" android:layout_height="wrap_content" android:orientation="vertical"> <linearlayout android:layout_width="match_parent" android:layout_height="w...
Read more

css - Make div keyboard-scrollable in jQuery Mobile? -

from can tell, although jquery-mobile-powered pages can contain divs overflow set scroll or auto, , these divs can scrolled one-screen bar or mouse wheel, cannot scrolled using arrow keys, page-up/page-down, or home/end. instead, official "page" div (with data-role="page") absorbs input. perhaps other divs can't acquire focus, i'm not sure. is there way around this? edit: jsfiddle of simple example: https://jsfiddle.net/qogz0shx/ <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script> <script src="https://ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script> <link rel="stylesheet" href="https://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.css"/> <style> #outer { overflow:scroll; height: 50vh; width: 50vw; } #inner { height: 500vh; width: 500vw; } ...
Read more