FIX: Allow multiple inlined image data links in html clean #5
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add a lazy quantifier in the regex `_find_image_dataurls`
to match as few characters as possible,
to make it stop at the first occurence of `;base64,`
e.g.
```py
>>> _find_image_dataurls = re.compile(r'data:image/(.+);base64,', re.I).findall
>>> _find_image_dataurls('<div style="background: url(data:image/jpeg;base64,foo); background-image: url(data:image/jpeg;base64,foo);"></div>')
['jpeg;base64,foo); background-image: url(data:image/jpeg']
```
```py
>>> _find_image_dataurls = re.compile(r'data:image/(.+?);base64,', re.I).findall
>>> _find_image_dataurls('<div style="background: url(data:image/jpeg;base64,foo); background-image: url(data:image/jpeg;base64,foo);"></div>')
['jpeg', 'jpeg']
```
This allows to have multiple image data links on the same line,
which happens for instance in inline styles.
Without this change, `_has_javascript_scheme` returns `True`
because the count of safe image urls is lower than the number of
possible malicious scheme.
Then, the whole style is dropped as considered malicious.
Co-authored-by: Christophe Simonis <chs@odoo.com>
|
Thank you for your contribution. I'll look at this closely but not sooner than next week. |
|
I like this change. The problem in the CI is unrelated to this PR. I'm gonna try to fix it and then merge the PR. Do you need a new release? |
No problem, take your time :)
We do not need. We use lxml 4.8.0 and we cannot, in our stable releases, suddenly bump the version to a new release neither we can suddenly add a new dependency to this |
frenzymadness
force-pushed
the
main-fix-find-image-data-urls-dle
branch
2 times, most recently
from
3b2e167
to
ce8ae68
Compare
|
In the end, no hotfix on our side is needed. Thank you once more. |
|
Thanks 😚 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a lazy quantifier in the regex
_find_image_dataurlsto match as few characters as possible,to make it stop at the first occurence of
;base64,e.g.
This allows to have multiple image data links on the same line, which happens for instance in inline styles.
Without this change,
_has_javascript_schemereturnsTruebecause the count of safe image urls is lower than the number of possible malicious scheme.Then, the whole style is dropped as considered malicious.