When URLs are invalid IPv6 URLs drop the attr rather than error

pombredanne · Sep 7, 2015 · 29526c5 · 29526c5
1 parent 01b1ebb
commit 29526c5
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/html5lib/sanitizer.py b/html5lib/sanitizer.py
@@ -207,7 +207,11 @@ def allowed_token(self, token, token_type):
  unescape(attrs[attr])).lower()
  # remove replacement characters from unescaped characters
  val_unescaped = val_unescaped.replace("\ufffd", "")
- uri = urlparse.urlparse(val_unescaped)
+ try:
+ uri = urlparse.urlparse(val_unescaped)
+ except ValueError:
+ uri = None
+ del attrs[attr]
  if uri and uri.scheme:
  if uri.scheme not in self.allowed_protocols:
  del attrs[attr]

diff --git a/html5lib/tests/test_sanitizer.py b/html5lib/tests/test_sanitizer.py
@@ -113,6 +113,11 @@ def test_sanitizer():
  "<audio controls=\"\" src=\"data:foobar\"></audio>",
  toxml)
 
+ yield (runSanitizerTest, "test_invalid_ipv6_url",
+ "<a>",
+ "<a href=\"h:https://]\">",
+ toxml)
+
  yield (runSanitizerTest, "test_data_uri_disallowed_type",
  "<audio controls=\"\"></audio>",
  "<audio controls=\"\" src=\"data:text/html,<html>\"></audio>",