diff options
author | Kevin Chung <kchung@nyu.edu> | 2021-03-21 10:03:09 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-03-21 15:03:09 +0100 |
commit | 2d01a1ba8984e0483ce6619b972832377f208a0d (patch) | |
tree | fae164b962c1eaee379eca649a067c39be3355c6 | |
parent | e986a9cb5d54827c59aefa8803bc90954d67221e (diff) | |
download | python-lxml-2d01a1ba8984e0483ce6619b972832377f208a0d.tar.gz |
Add HTML-5 "formaction" attribute to "defs.link_attrs" (GH-316)
Resolves https://bugs.launchpad.net/lxml/+bug/1888153
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957
-rw-r--r-- | src/lxml/html/defs.py | 2 | ||||
-rw-r--r-- | src/lxml/html/tests/test_clean.py | 15 |
2 files changed, 17 insertions, 0 deletions
diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py index 1b3a75b3..2058ea33 100644 --- a/src/lxml/html/defs.py +++ b/src/lxml/html/defs.py @@ -23,6 +23,8 @@ link_attrs = frozenset([ 'usemap', # Not standard: 'dynsrc', 'lowsrc', + # HTML5 formaction + 'formaction' ]) # Not in the HTML 4 spec: diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py index 0e669f98..45c2e83a 100644 --- a/src/lxml/html/tests/test_clean.py +++ b/src/lxml/html/tests/test_clean.py @@ -123,6 +123,21 @@ class CleanerTest(unittest.TestCase): b'<math><style>/* deleted */</style></math>', lxml.html.tostring(clean_html(s))) + def test_formaction_attribute_in_button_input(self): + # The formaction attribute overrides the form's action and should be + # treated as a malicious link attribute + html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>' + '<button form="test" formaction="javascript:alert(1)">X</button>') + expected = ('<div><form id="test"><input type="submit" formaction=""></form>' + '<button form="test" formaction="">X</button></div>') + cleaner = Cleaner( + forms=False, + safe_attrs_only=False, + ) + self.assertEqual( + expected, + cleaner.clean_html(html)) + def test_suite(): suite = unittest.TestSuite() |