Problem with filtering some css-style data
19 views
Skip to first unread message
ente...@googlemail.com
Jul 31, 2008, 5:27:07 AM7/31/08
to cssutils
Dear Mailinglist :-)
I just written for one of my applications a small css-style filter
that filters things like `background-image` from html-tags `style`
attribute to avoid some xss security holes.
The code is pasted here: http://paste.pocoo.org/show/80793/
My problem now is that the output I get is somewhat confusing:
(e.g)
<span style="; width: 50%; color: #412313">text2</span>
Any idea where the `
` comes from and how can I get a more good
looking output, such as:
<span style="width: 50%;color: #412313">text2</span>
Hope you can help me :)
Regards,
Christopher Grebs
I just written for one of my applications a small css-style filter
that filters things like `background-image` from html-tags `style`
attribute to avoid some xss security holes.
The code is pasted here: http://paste.pocoo.org/show/80793/
My problem now is that the output I get is somewhat confusing:
(e.g)
<span style="; width: 50%; color: #412313">text2</span>
Any idea where the `
` comes from and how can I get a more good
looking output, such as:
<span style="width: 50%;color: #412313">text2</span>
Hope you can help me :)
Regards,
Christopher Grebs
see
Jul 31, 2008, 3:38:22 PM7/31/08
to cssutils
hi,
you use quite a few private methods so your code might easily break in
the future ;)
A more stable and also simpler function would be (http://
paste.pocoo.org/show/80858/):
def filter_style(css):
if css is None:
return None
# renamed from "sheet" as only a style declaration
style = CSSStyleDeclaration(css)
for property in style:
name = property.name
if not _allowed_properties_re.match(name):
print u"removing %r" % name
del style[name]
# normally style.cssText but there is another method:
return style.getCssText(separator='')
You don't need the special _parse method nor the special serializer
(the only thing you need to keep is the list of allowed properties).
hope this helps
Christof
On Jul 31, 11:27 am, "enteq...@googlemail.com"
you use quite a few private methods so your code might easily break in
the future ;)
A more stable and also simpler function would be (http://
paste.pocoo.org/show/80858/):
def filter_style(css):
if css is None:
return None
# renamed from "sheet" as only a style declaration
style = CSSStyleDeclaration(css)
for property in style:
name = property.name
if not _allowed_properties_re.match(name):
print u"removing %r" % name
del style[name]
# normally style.cssText but there is another method:
return style.getCssText(separator='')
You don't need the special _parse method nor the special serializer
(the only thing you need to keep is the list of allowed properties).
hope this helps
Christof
On Jul 31, 11:27 am, "enteq...@googlemail.com"
Reply all
Reply to author
Forward
0 new messages