Comments (7)
I'm going to re-open this to cover two changes:
- Add a note to the clean docs about how if you're allowing the
style
attribute, you should also set acss_sanitizer
otherwise the style value will be truncated. - Change the code to emit a Python warning when
style
is allowed, but thecss_sanitizer
is not set.
from bleach.
Did you install the css
extras?
https://bleach.readthedocs.io/en/latest/clean.html#sanitizing-css
from bleach.
Oh sorry I didn't. It's probably just that. I'll do that and reopen if needed. Thanks!
from bleach.
Can I get some help with this? The thing you're hitting is this:
Lines 555 to 561 in 6cd4d52
Would it have helped if Bleach had emitted a Python warning because you've got "style" as an allowed attribute, but hadn't specified a css_sanitizer
? If not that, should it throw an exception? I'm pretty sure the situation is an indication of a mistake and a developer would want to know and not have the problem you just had. I can't think of a case where you'd want to be in that situation (specifying style
as allowed, but don't want to have the css sanitized), but I didn't know if I was lacking imagination or not. What do you think?
from bleach.
Sure! So, first of all, installing and using the css extras fixed my issue.
But as you suggested, effectively I think it would have been very nice to have a Python warning or error about that. Being a bit new to bleach and just wanting to adjust my previous basic bleaching to now allow for katex markup, I looked at the docs and the issues here, but did not get at first that the css extras would be relevant. I saw the css_sanitizer
option in Cleaner, but I thought that a value of None
would not parse/sanitize the css.
I think it's not crazy to think that at first (after all, it feels natural that "None" sanitizer would sanitize nothing), even though I understand that not sanitizing the css would rarely be the correct call.
from bleach.
Related to this is the question of what tags and styles we should allow for Katex, as it is not necessarily trivial to get the complete list.
And more generally, say in theory you trust a plugin's output (not saying I trust Katex output specifically), but if that plugin uses a lot of tags, then you end up allowing a lot of tags you wouldn't have allowed normally. The allowed tags approach seems kind of flawed in that case. I don't know if there is a better way in these kinds of cases, like maybe treating parts separately...
from bleach.
Having a context aware allow list could help here. Bleach definitely doesn't support that currently. It feels like it'd be hard to implement because the stripping/escaping for tags is spread across a few classes, but maybe that's not true. You could try looking into that.
from bleach.
Related Issues (20)
- support python 3.11 (october 3rd, 2022)
- Solo quiero decir que Bleach vuelve en octubre ❤️💪😎🍷💕
- bug: hardcoded dev dependency versions breaks mypy usage HOT 5
- fork html5lib-python or find alternative HOT 1
- bug: bleach.clean is not handling & symbol very well HOT 1
- Possible to only allow target="_blank" but no other values? HOT 3
- tox utility environments are constrainted to only run on Linux HOT 1
- bleach is deprecated; statement on project going forward (2023-01-23) HOT 11
- RFE: please provide update for latest `tinycss2` 1.2.1 HOT 2
- RFE: lease drop use `six` module HOT 1
- bug: linkify with entities inside anchor strings are incorrectly escaped HOT 1
- Open angle bracket '<' with few words after cleaned up if there's no closing bracket HOT 1
- bug: using OpenSUSE and Fedora packages which change the Bleach code, parse_shim tests fail with Python 3.10.12 HOT 6
- bug: Cleaner removes href valid tag "tg://user?id=124124124" HOT 1
- bug: drop support for Python 3.7 which is EOL
- feature: add support for Python 3.12
- Style attributes are getting stripped off HOT 13
- Open bracket '<' still cleaned up without closing bracket
- RFE: move away from deprecated `html5lib` HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bleach.