vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

feat(sanitize_html): allow the caller to block additional tags

Browse source 
Signed-off-by: Akhil Narang <me@akhilnarang.dev>
This commit is contained in:
Akhil Narang 2026-01-29 12:10:08 +05:30
parent 8f22340482
commit 116e406e8f
No known key found for this signature in database
GPG key ID: 9DCC61E211BF645F
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
frappe/utils/html_utils.py
View file

@ -142,7 +142,7 @@ def clean_script_and_style(html):
return frappe.as_unicode(soup)
def sanitize_html(html, linkify=False, always_sanitize=False):
def sanitize_html(html, linkify=False, always_sanitize=False, disallowed_tags=None):
"""
Sanitize HTML tags, attributes and style to prevent XSS attacks
Based on nh3 clean, bleach whitelist and html5lib's Sanitizer defaults
@ -167,6 +167,10 @@ def sanitize_html(html, linkify=False, always_sanitize=False):
.union(["html", "head", "meta", "link", "body", "o:p"])
)
# Allow caller to explicitly disallow some tags
if disallowed_tags:
tags.difference_update(disallowed_tags)
attributes = {"*": acceptable_attributes, "svg": svg_attributes}
# returns html with escaped tags, escaped orphan >, <, etc.