TechQA.

bleach stripping style that should be allowed

882 views Asked by dabadaba At 2021-01-24T12:22:41+00:00 24 January 2021 at 12:22 2025-12-21T22:45:12+00:00

I have the following string:

html = '<div id="cover" style="display: block; height: 682px"><div class="cover-desktop hidden-xs" style="background-image: linear-gradient(rgba(0, 0, 0, 0.45), rgba(0, 0, 0, 0.45)), url(\'/site_media/covers/cover.jpg\')"></div></div>'

And these are my options:

ALLOWED_TAGS = bleach.sanitizer.ALLOWED_TAGS + [
    'p',
    'div',
    'table',
    'br',
    'style'
]
ALLOWED_STYLES = ['display', 'height', 'background-image']
ALLOWED_ATTRIBUTES = {
    '*': ['id', 'class', 'style']
}

However when running bleach.clean, the background-image style is getting stripped:

cleaned_html = bleach.clean(html, tags=ALLOWED_TAGS, styles=ALLOWED_STYLES, attributes=ALLOWED_ATTRIBUTES)

Output:

u'<div id="cover" style="display: block; height: 682px;"><div class="cover-desktop hidden-xs" style=""></div></div>'

Why? And how can I fix that?

In fact, how can I allow any style? '*' doesn't do the trick.

edit: it turns out it's because of the background image url(). If a rule containts url it just gets stripped. Here's their code in BleachSanitizerFilter.sanitize_css:

# Drop any url values before we do anything else
style = re.compile(r"url\s*\(\s*[^\s)]+?\s*\)\s*").sub(" ", style)

So how am I supposed to allow background-image property then?

python python-2.7 sanitization bleach
Original Q&A
1

There are 1 answers

0
zeyad moustafa zeyad moustafa On 2023-03-26T23:32:51+00:00 26 March 2023 at 23:32

I am using the bleach 6.0 and I am adding css styles like this

import bleach
from bleach.css_sanitizer import CSSSanitizer

ALLOWED_TAGS = ['p', 'strong', 'em', 'ul', 'ol', 'li', "a", "abbr", 
                "acronym", "b", "blockquote", "code", "i",'span']
ALLOWED_ATTRIBUTES = bleach.sanitizer.ALLOWED_ATTRIBUTES
ALLOWED_ATTRIBUTES['span'] = ['style']

ALLOWED_STYLES = [ 'color', 'font-family', 'font-size', 'font-style', 'font-weight', 'text-align', 'text-decoration', 'text-indent',
                   'background-color', 'background-image', 'background-repeat', 'background-size', 'border', 'border-bottom', 
                   'border-left', 'border-radius', 'border-right', 'border-top', 'margin', 'margin-bottom', 'margin-left', 
                   'margin-right', 'margin-top', 'padding', 'padding-bottom', 'padding-left', 'padding-right', 'padding-top',
                   'line-height', 'letter-spacing', 'word-spacing']

css_santizer = CSSSanitizer(allowed_css_properties=ALLOWED_STYLES)

cleaned_description = bleach.clean(description,tags=ALLOWED_TAGS,attributes=ALLOWED_ATTRIBUTES,css_sanitizer=css_santizer)

I hope this works for you or anybody facing this problem and you can see the documentation for more details.

Related Questions in PYTHON

  • How to store a date/time in sqlite (or something similar to a date)
  • Instagrapi recently showing HTTPError and UnknownError
  • How to Retrieve Data from an MySQL Database and Display it in a GUI?
  • How to create a regular expression to partition a string that terminates in either ": 45" or ",", without the ": "
  • Python Geopandas unable to convert latitude longitude to points
  • Influence of Unused FFN on Model Accuracy in PyTorch
  • Seeking Python Libraries for Removing Extraneous Characters and Spaces in Text
  • Writes to child subprocess.Popen.stdin don't work from within process group?
  • Conda has two different python binarys (python and python3) with the same version for a single environment. Why?
  • Problem with add new attribute in table with BOTO3 on python
  • Can't install packages in python conda environment
  • Setting diagonal of a matrix to zero
  • List of numbers converted to list of strings to iterate over it. But receiving TypeError messages
  • Basic Python Question: Shortening If Statements
  • Python and regex, can't understand why some words are left out of the match

Related Questions in PYTHON-2.7

  • Telnet function in Python
  • symbol not found in flat namespace '__PyTrash_begin
  • Python 2.7 requirements won't install without virtualenv
  • Python search for the errors in the JSON
  • spectrogram for a .cdf file
  • SSL Error and InsecurePlatformWarning when installing packages using pip on Python 2.7
  • Canonical way to ensure float point division across py2 and py3?
  • Unable to execute Python Script directly
  • Pip from Python 2.7.10 installed via pyenv-win cannot install any packages
  • Arcpy: Python stops ExportToPDF through list after some iterations
  • Python2 unable to pickle string
  • Reading Excelsheets using openpyxl and Python
  • How can I store a function in an array in python?
  • " 'Word2Vec' object has no attribute 'load_parent_word2vec_format' " error
  • How to execute a nodejs function from the python code?

Related Questions in SANITIZATION

  • When sanitize/encode while implementing tags system like on SO
  • How to sanitise request body in spring boot if some attributes contain these values
  • Is it possible to prevent Angular Custom Element to sanitize whole DOM tree during it's load?
  • Checkmarx Scans Won't Recognize Any Sanitization Methods in Node/Express
  • Why doesn't preventDefault() of an input event stop changes to the value of a form element
  • How to fully sanitise HTTP
  • Securely validating/sanitizing user input when using SQL Server's CONTAINS() predicate
  • Does user data need to be sanitised before running console.log?
  • I am looking for a way to stop html injection
  • Strange characters in (invalid) json string from post request (encoding issues)
  • Trying to stop TutorLMS from stripping backslashes from course content
  • PHP user input workflow (sanitization/validation, injection prevention, html escaping)
  • How to verify the nonce in WordPress if the request is from a link in the menu?
  • Remove all attributes not in whitelist from all HTML tags
  • Is my site vulnerable to a XSS attack if it has no back-end code?

Related Questions in BLEACH

  • Django Bleach with CKeditor?
  • BLEACH_DEFAULT_WIDGET django
  • timyMCE allowed tags in django
  • bleach stripping style that should be allowed
  • How to remove links from HTML completely with Bleach?
  • Python Bleach: is there any way to strip tags that are disallowed rather than allowed?
  • ERROR: Could not find a version that satisfies the requirement bleach==2.1.2 (from -r requirements.txt (line 1)) (from versions: none)
  • bleach clean adds "<pre><code>“ tag at the beginning rather than cleaning
  • Sanitise HTML content with Python
  • python bleach: inconsistent cleaning behaviour
  • How to install a bleach module without using npm install?
  • SQL syntax error on table name
  • Bleach and html5lib incompatible with tensorboard
  • Prevent pip from upgrading a dependency
  • Process fields in SQLAlchemy model (using flask_sqlalchemy)

Popular Questions

  • How do I undo the most recent local commits in Git?
  • How can I remove a specific item from an array in JavaScript?
  • How do I delete a Git branch locally and remotely?
  • Find all files containing a specific text (string) on Linux?
  • How do I revert a Git repository to a previous commit?
  • How do I create an HTML button that acts like a link?
  • How do I check out a remote Git branch?
  • How do I force "git pull" to overwrite local files?
  • How do I list all files of a directory?
  • How to check whether a string contains a substring in JavaScript?
  • How do I redirect to another webpage?
  • How can I iterate over rows in a Pandas DataFrame?
  • How do I convert a String to an int in Java?
  • Does Python have a string 'contains' substring method?
  • How do I check if a string contains a specific word?

Trending Questions

  • UIImageView Frame Doesn't Reflect Constraints
  • Is it possible to use adb commands to click on a view by finding its ID?
  • How to create a new web character symbol recognizable by html/javascript?
  • Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
  • Heap Gives Page Fault
  • Connect ffmpeg to Visual Studio 2008
  • Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
  • How to avoid default initialization of objects in std::vector?
  • second argument of the command line arguments in a format other than char** argv or char* argv[]
  • How to improve efficiency of algorithm which generates next lexicographic permutation?
  • Navigating to the another actvity app getting crash in android
  • How to read the particular message format in android and store in sqlite database?
  • Resetting inventory status after order is cancelled
  • Efficiently compute powers of X in SSE/AVX
  • Insert into an external database using ajax and php : POST 500 (Internal Server Error)
  • Privacy
  • Terms
  • Cookies
  • Homegardensmart
  • Math
  • Aftereffectstemplates