##############################################################################
#
# OpenERP, Open Source Business Applications
-# Copyright (C) 2012-2013 OpenERP S.A. (<http://openerp.com>).
+# Copyright (C) 2012-TODAY OpenERP S.A. (<http://openerp.com>).
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# allow new semantic HTML5 tags
allowed_tags = clean.defs.tags | frozenset('article section header footer hgroup nav aside figure main'.split())
-safe_attrs = clean.defs.safe_attrs | frozenset(['style'])
+safe_attrs = clean.defs.safe_attrs | frozenset(
+ ['style',
+ 'data-oe-model', 'data-oe-id', 'data-oe-field', 'data-oe-type', 'data-oe-expression', 'data-oe-translate', 'data-oe-nodeid',
+ 'data-snippet-id', 'data-publish', 'data-id', 'data-res_id', 'data-member_id', 'data-view-id'
+ ])
-def html_sanitize(src, silent=True):
+def html_sanitize(src, silent=True, strict=False):
if not src:
return src
src = ustr(src, errors='replace')
kwargs = {
'page_structure': True,
'style': False, # do not remove style attributes
- 'frames': False, # de not remove frames (embbed video in CMS blogs)
'forms': True, # remove form tags
'remove_unknown_tags': False,
'allow_tags': allowed_tags,
else:
kwargs['remove_tags'] = tags_to_kill + tags_to_remove
- kwargs['safe_attrs_only'] = False
+ if strict:
+ if etree.LXML_VERSION >= (3, 1, 0):
+ # lxml < 3.1.0 does not allow to specify safe_attrs. We keep all attributes in order to keep "style"
+ kwargs.update({
+ 'safe_attrs_only': True,
+ 'safe_attrs': safe_attrs,
+ })
+ else:
+ kwargs['safe_attrs_only'] = False # keep oe-data attributes + style
+ kwargs['frames'] = False, # do not remove frames (embbed video in CMS blogs)
try:
# some corner cases make the parser crash (such as <SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT> in test_mail)