diff options
-rw-r--r-- | src/lxml/html/defs.py | 2 | ||||
-rw-r--r-- | src/lxml/html/tests/test_clean.py | 15 |
2 files changed, 17 insertions, 0 deletions
diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py index 1b3a75b3..2058ea33 100644 --- a/src/lxml/html/defs.py +++ b/src/lxml/html/defs.py @@ -23,6 +23,8 @@ link_attrs = frozenset([ 'usemap', # Not standard: 'dynsrc', 'lowsrc', + # HTML5 formaction + 'formaction' ]) # Not in the HTML 4 spec: diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py index 0e669f98..45c2e83a 100644 --- a/src/lxml/html/tests/test_clean.py +++ b/src/lxml/html/tests/test_clean.py @@ -123,6 +123,21 @@ class CleanerTest(unittest.TestCase): b'<math><style>/* deleted */</style></math>', lxml.html.tostring(clean_html(s))) + def test_formaction_attribute_in_button_input(self): + # The formaction attribute overrides the form's action and should be + # treated as a malicious link attribute + html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>' + '<button form="test" formaction="javascript:alert(1)">X</button>') + expected = ('<div><form id="test"><input type="submit" formaction=""></form>' + '<button form="test" formaction="">X</button></div>') + cleaner = Cleaner( + forms=False, + safe_attrs_only=False, + ) + self.assertEqual( + expected, + cleaner.clean_html(html)) + def test_suite(): suite = unittest.TestSuite() |