lxml

remove xss leave some extra attribute

Bug #2002307 reported by nattapong ratanasuwan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxml
New
Undecided
Unassigned

Bug Description

from lxml.html.clean import Cleaner

cleaner = Cleaner(
    style=True,
    links=True,
    add_nofollow=True,
    page_structure=False,
    safe_attrs_only=False,
)

raw_description = '<b onmouseover=alert("XSS testing!")>Test</b>'
cleaner.clean_html(raw_description)

actual
```
<b testing>Test</b>\n
```
expect
```
<b>Test</b>
```

it should not have attribute `testing`

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.