Back to index

plone3  3.1.7
Classes | Functions | Variables
PortalTransforms.transforms.safe_html Namespace Reference

Classes

class  StrippingParser
class  SafeHTML

Functions

def hasScript
def decode_htmlentities
def decode_htmlentity
def scrubHTML
def register

Variables

tuple VALID_TAGS = VALID_TAGS.copy()
tuple NASTY_TAGS = NASTY_TAGS.copy()
string msg_pat

Function Documentation

XSS code can be hidden with htmlentities 

Definition at line 40 of file safe_html.py.

00040 
00041 def decode_htmlentities(s):
00042    """ XSS code can be hidden with htmlentities """
00043 
00044    entity_pattern = re.compile("&#(?P<htmlentity>x?\w+)?;?")
00045    s = entity_pattern.sub(decode_htmlentity,s)
00046    return s

Here is the caller graph for this function:

Definition at line 47 of file safe_html.py.

00047 
00048 def decode_htmlentity(m):
00049    entity_value = m.groupdict()['htmlentity']
00050    if entity_value.lower().startswith('x'):
00051       try:
00052           return chr(int('0'+entity_value,16))
00053       except ValueError:
00054           return entity_value
00055    try:
00056       return chr(int(entity_value))
00057    except ValueError:
00058       return entity_value

Dig out evil Java/VB script inside an HTML attribute 

Definition at line 32 of file safe_html.py.

00032 
00033 def hasScript(s):
00034    """ Dig out evil Java/VB script inside an HTML attribute """
00035 
00036    # look for "script" and "expression"
00037    javascript_pattern = re.compile("([\s\n]*?s[\s\n]*?c[\s\n]*?r[\s\n]*?i[\s\n]*?p[\s\n]*?t[\s\n]*?:)|([\s\n]*?e[\s\n]*?x[\s\n]*?p[\s\n]*?r[\s\n]*?e[\s\n]*?s[\s\n]*?s[\s\n]*?i[\s\n]*?o[\s\n]*?n)", re.DOTALL|re.IGNORECASE)
00038    s = decode_htmlentities(s)
00039    return javascript_pattern.findall(s)

Here is the call graph for this function:

Here is the caller graph for this function:

Definition at line 259 of file safe_html.py.

00259 
00260 def register():
00261     return SafeHTML()
def PortalTransforms.transforms.safe_html.scrubHTML (   html,
  valid = VALID_TAGS,
  nasty = NASTY_TAGS,
  remove_javascript = True,
  raise_error = True 
)
Strip illegal HTML tags from string text.

Definition at line 148 of file safe_html.py.

00148 
00149               remove_javascript=True, raise_error=True):
00150 
00151     """ Strip illegal HTML tags from string text.
00152     """
00153     parser = StrippingParser(valid=valid, nasty=nasty,
00154                              remove_javascript=remove_javascript,
00155                              raise_error=raise_error)
00156     parser.feed(html)
00157     parser.close()
00158     return parser.getResult()

Here is the caller graph for this function:


Variable Documentation

Initial value:
00001 """
00002 <div class="system-message">
00003 <p class="system-message-title">System message: %s</p>
00004 %s</d>
00005 """

Definition at line 26 of file safe_html.py.

Definition at line 17 of file safe_html.py.

Definition at line 16 of file safe_html.py.