Edgewall Software

Ticket #527 (new defect)

Opened 9 months ago

Last modified 6 months ago

_strip_css_comments may be unable to delete a comment

Reported by: uchida_t <dc578av_adle@…> Owned by: cmlenz
Priority: major Milestone: 0.7
Component: General Version: 0.6
Keywords: Cc:

Description

http://genshi.edgewall.org/browser/trunk/genshi/filters/html.py?rev=1175#L541

_strip_css_comments is called only once.
So in the following description, a css comment remains.

//#!html
<div style="width: exp//**/**/ression(alert(1))">div</div>

I think this code is better. 

    def _strip_css_comments(self, text):
        while True:
            s = self._CSS_COMMENTS('', text)
            if s == text:
                return s

Attachments

Change History

in reply to: ↑ description   Changed 9 months ago by dc578av_adle@…

Replying to uchida_t <dc578av_adle@…>:

{{{ #!python def _strip_css_comments(self, text): while True: s = self._CSS_COMMENTS(, text) if s == text: return s }}}

Sorry 

    def _strip_css_comments(self, text):
        while True:
            s = self._CSS_COMMENTS('', text)
            if s == text:
                return s
            text = s

Add/Change #527 (_strip_css_comments may be unable to delete a comment)

Author


E-mail address and user name can be saved in the Preferences.


Change Properties
<Author field>
Action
as new
as The resolution will be set. Next status will be 'closed'
to The owner will change from cmlenz. Next status will be 'new'
The owner will change from cmlenz to anonymous. Next status will be 'assigned'
 
Note: See TracTickets for help on using tickets.