Blame SOURCES/CVE-2021-28957.patch
|
 |
567b75 |
diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
|
|
|
567b75 |
index caf6b21..ea3c016 100644
|
|
|
567b75 |
--- a/src/lxml/html/defs.py
|
|
|
567b75 |
+++ b/src/lxml/html/defs.py
|
|
|
567b75 |
@@ -21,6 +21,8 @@ link_attrs = frozenset([
|
|
|
567b75 |
'usemap',
|
|
|
567b75 |
# Not standard:
|
|
|
567b75 |
'dynsrc', 'lowsrc',
|
|
|
567b75 |
+ # HTML5 formaction
|
|
|
567b75 |
+ 'formaction'
|
|
|
567b75 |
])
|
|
|
567b75 |
|
|
|
567b75 |
# Not in the HTML 4 spec:
|
|
|
567b75 |
diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
|
|
|
567b75 |
index 451eec2..e40cdad 100644
|
|
|
567b75 |
--- a/src/lxml/html/tests/test_clean.py
|
|
|
567b75 |
+++ b/src/lxml/html/tests/test_clean.py
|
|
|
567b75 |
@@ -89,6 +89,21 @@ class CleanerTest(unittest.TestCase):
|
|
|
567b75 |
b'<math><style>/* deleted */</style></math>',
|
|
|
567b75 |
lxml.html.tostring(clean_html(s)))
|
|
|
567b75 |
|
|
|
567b75 |
+ def test_formaction_attribute_in_button_input(self):
|
|
|
567b75 |
+ # The formaction attribute overrides the form's action and should be
|
|
|
567b75 |
+ # treated as a malicious link attribute
|
|
|
567b75 |
+ html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
|
|
|
567b75 |
+ '<button form="test" formaction="javascript:alert(1)">X</button>')
|
|
|
567b75 |
+ expected = ('<form id="test"><input type="submit" formaction=""></form>'
|
|
|
567b75 |
+ '<button form="test" formaction="">X</button>')
|
|
|
567b75 |
+ cleaner = Cleaner(
|
|
|
567b75 |
+ forms=False,
|
|
|
567b75 |
+ safe_attrs_only=False,
|
|
|
567b75 |
+ )
|
|
|
567b75 |
+ self.assertEqual(
|
|
|
567b75 |
+ expected,
|
|
|
567b75 |
+ cleaner.clean_html(html))
|
|
|
567b75 |
+
|
|
|
567b75 |
|
|
|
567b75 |
def test_suite():
|
|
|
567b75 |
suite = unittest.TestSuite()
|