From 116e406e8f1e826e93702bd0ef415e4846fdeeed Mon Sep 17 00:00:00 2001 From: Akhil Narang Date: Thu, 29 Jan 2026 12:10:08 +0530 Subject: [PATCH] feat(sanitize_html): allow the caller to block additional tags Signed-off-by: Akhil Narang --- frappe/utils/html_utils.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/frappe/utils/html_utils.py b/frappe/utils/html_utils.py index 091c6047db..7af5ab9907 100644 --- a/frappe/utils/html_utils.py +++ b/frappe/utils/html_utils.py @@ -142,7 +142,7 @@ def clean_script_and_style(html): return frappe.as_unicode(soup) -def sanitize_html(html, linkify=False, always_sanitize=False): +def sanitize_html(html, linkify=False, always_sanitize=False, disallowed_tags=None): """ Sanitize HTML tags, attributes and style to prevent XSS attacks Based on nh3 clean, bleach whitelist and html5lib's Sanitizer defaults @@ -167,6 +167,10 @@ def sanitize_html(html, linkify=False, always_sanitize=False): .union(["html", "head", "meta", "link", "body", "o:p"]) ) + # Allow caller to explicitly disallow some tags + if disallowed_tags: + tags.difference_update(disallowed_tags) + attributes = {"*": acceptable_attributes, "svg": svg_attributes} # returns html with escaped tags, escaped orphan >, <, etc.