Edgewall Software

Version 1 (modified by cmlenz, 5 years ago) (diff)


Error: Macro Title(genshi.filters.html) failed
pre-0.11 Wiki macro Title by provider <class 'Title.TitleMacro'> no longer supported


Implementation of a number of stream filters.


A stream filter that can populate HTML forms from a dictionary of values.

>>> from genshi.input import HTML
>>> html = HTML('''<form>
...   <p><input type="text" name="foo" /></p>
... </form>''')
>>> filler = HTMLFormFiller(data={'foo': 'bar'})
>>> print(html | filler)
  <p><input type="text" name="foo" value="bar"/></p>


A filter that removes potentially dangerous HTML tags and attributes from the stream.

>>> from genshi import HTML
>>> html = HTML('<div><script>alert(document.cookie)</script></div>')
>>> print(html | HTMLSanitizer())

The default set of safe tags and attributes can be modified when the filter is instantiated. For example, to allow inline style attributes, the following instantation would work:

>>> html = HTML('<div style="background: #000"></div>')
>>> sanitizer = HTMLSanitizer(safe_attrs=HTMLSanitizer.SAFE_ATTRS | set(['style']))
>>> print(html | sanitizer)
<div style="background: #000"/>

Note that even in this case, the filter does attempt to remove dangerous constructs from style attributes:

>>> html = HTML('<div style="background: url(javascript:void); color: #000"></div>')
>>> print(html | sanitizer)
<div style="color: #000"/>

This handles HTML entities, unicode escapes in CSS and Javascript text, as well as a lot of other things. However, the style tag is still excluded by default because it is very hard for such sanitizing to be completely safe, especially considering how much error recovery current web browsers perform.

It also does some basic filtering of CSS properties that may be used for typical phishing attacks. For more sophisticated filtering, this class provides a couple of hooks that can be overridden in sub-classes.

warn:Note that this special processing of CSS is currently only applied to style attributes, not style elements.

is_safe_css(self, propname, value)

Determine whether the given css property declaration is to be considered safe for inclusion in the output.

param propname:the CSS property name
param value:the value of the property
return:whether the property value should be considered safe
since:version 0.6

is_safe_elem(self, tag, attrs)

Determine whether the given element should be considered safe for inclusion in the output.

param tag:the tag name of the element
type tag:QName
param attrs:the element attributes
type attrs:Attrs
return:whether the element should be considered safe
since:version 0.6

is_safe_uri(self, uri)

Determine whether the given URI is to be considered safe for inclusion in the output.

The default implementation checks whether the scheme of the URI is in the set of allowed URIs (safe_schemes).

>>> sanitizer = HTMLSanitizer()
>>> sanitizer.is_safe_uri('http://example.org/')
>>> sanitizer.is_safe_uri('javascript:alert(document.cookie)')
param uri:the URI to check
return:True if the URI can be considered safe, False otherwise
since:version 0.4.3

sanitize_css(self, text)

Remove potentially dangerous property declarations from CSS code.

In particular, properties using the CSS url() function with a scheme that is not considered safe are removed:

>>> sanitizer = HTMLSanitizer()
>>> sanitizer.sanitize_css(u'''
...   background: url(javascript:alert("foo"));
...   color: #000;
... ''')
[u'color: #000']

Also, the proprietary Internet Explorer function expression() is always stripped:

>>> sanitizer.sanitize_css(u'''
...   background: #fff;
...   color: #000;
...   width: e/**/xpression(alert("foo"));
... ''')
[u'background: #fff', u'color: #000']
param text:the CSS text; this is expected to be unicode and to not contain any character or numeric references
return:a list of declarations that are considered safe
since:version 0.4.3

See Using Stream Filters, ApiDocs/0.6.x, Documentation