From cafd2c920db23fc1f7a2e2b6988d59d1a95e000b Mon Sep 17 00:00:00 2001
From: Faris Ansari <netchamp.faris@gmail.com>
Date: Mon, 8 Aug 2022 18:36:54 +0530
Subject: [PATCH 1/2] fix(sanitize-html): allow all data-* attrs

---
 frappe/utils/html_utils.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/frappe/utils/html_utils.py b/frappe/utils/html_utils.py
index b9d0e8dfe2..fa84170330 100644
--- a/frappe/utils/html_utils.py
+++ b/frappe/utils/html_utils.py
@@ -162,7 +162,13 @@ def sanitize_html(html, linkify=False):
 		+ mathml_elements
 		+ ["html", "head", "meta", "link", "body", "style", "o:p"]
 	)
-	attributes = {"*": acceptable_attributes, "svg": svg_attributes}
+
+	def attributes_filter(tag, name, value):
+		if name.startswith("data-"):
+			return True
+		return name in acceptable_attributes
+
+	attributes = {"*": attributes_filter, "svg": svg_attributes}
 	styles = bleach_allowlist.all_styles
 	strip_comments = False
 

From 28fc208b511fe624f8e0f27aa376ad75845bcdb0 Mon Sep 17 00:00:00 2001
From: Ankush Menat <ankush@frappe.io>
Date: Tue, 9 Aug 2022 14:47:18 +0530
Subject: [PATCH 2/2] test: sanitize_html attributes behaviour

---
 frappe/tests/test_utils.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/frappe/tests/test_utils.py b/frappe/tests/test_utils.py
index e903c655b0..e68e8372af 100644
--- a/frappe/tests/test_utils.py
+++ b/frappe/tests/test_utils.py
@@ -254,6 +254,13 @@ class TestHTMLUtils(unittest.TestCase):
 		self.assertTrue("<h1>Hello</h1>" in clean)
 		self.assertTrue('<a href="http://test.com">text</a>' in clean)
 
+	def test_sanitize_html(self):
+		from frappe.utils.html_utils import sanitize_html
+
+		clean = sanitize_html("<ol data-list='ordered' unknown_attr='xyz'></ol>")
+		self.assertIn("ordered", clean)
+		self.assertNotIn("xyz", clean)
+
 
 class TestValidationUtils(unittest.TestCase):
 	def test_valid_url(self):