lxml

Allow data attributes through Cleaner

Bug #1888154 reported by Kevin Chung
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxml
Confirmed
Low
Unassigned

Bug Description

Python : sys.version_info(major=3, minor=8, micro=3, releaselevel='final', serial=0)
lxml.etree : (4, 5, 2, 0)
libxml used : (2, 9, 10)
libxml compiled : (2, 9, 10)
libxslt used : (1, 1, 34)
libxslt compiled : (1, 1, 34)

Data attributes (https://developer.mozilla.org/en-US/docs/Learn/HTML/Howto/Use_data_attributes) don't inherently have any security risk to my understanding.

There doesn't seem to be a way to allow all data attributes through the Cleaner without explicitly whitelisting every possibility via safe_attrs.

Is there a possibility to add something like Cleaner(allow_data_attributes=True) or something to that extent?

Revision history for this message
Kevin Chung (kchung) wrote :

Looking at the lxml cleaner code, I don't think I'd be able to create a custom safe_attrs object either b/c it is explicitly cast to set() before it's used.

Revision history for this message
Kevin Chung (kchung) wrote :

Digging through the idea here I actually think this is likely to expose unintended insecurity because of people passing functions in data attributes.

Revision history for this message
Kevin Chung (kchung) wrote :

Actually, I think I misunderstood Bootstrap's idea of options. It seemed to suggest that you could pass functions via data attribute but I don't think that's actually the case.

Revision history for this message
Kevin Chung (kchung) wrote :

Reading docs more carefully, data attributes are defined as strings so they would not really have an direct XSS capability without allowing Javascript.

Thus I'm fairly confident that something like `Cleaner(allow_data_attrs=True)` won't introduce some XSS issue.

Revision history for this message
scoder (scoder) wrote :

If it's a new option, then users can decide what they want, so this doesn't introduce any problems by itself.

PR welcome.

Changed in lxml:
importance: Undecided → Low
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.