From 249cc1ab5aebf7de2464a80dd22fae2a56612706 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 12 Dec 2020 20:53:16 +0000 Subject: [PATCH] reject localhost in markup --- content.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content.py b/content.py index 424fccd3b..539f85969 100644 --- a/content.py +++ b/content.py @@ -163,7 +163,7 @@ def dangerousMarkup(content: str, allowLocalNetworkAccess: bool) -> bool: contentSections = content.split('<') invalidPartials = () if not allowLocalNetworkAccess: - invalidPartials = ('127.0.', '192.168', '10.0.') + invalidPartials = ('localhost', '127.0.', '192.168', '10.0.') invalidStrings = ('script', 'canvas', 'style', 'abbr', 'frame', 'iframe', 'html', 'body', 'hr', 'allow-popups', 'allow-scripts')