diff --git a/content.py b/content.py index 95181a865..532668ffe 100644 --- a/content.py +++ b/content.py @@ -159,6 +159,7 @@ def dangerousMarkup(content: str) -> bool: if '>' not in content: return False contentSections = content.split('<') + invalidPartials = ('127.0.', '192.168', '10.0.') invalidStrings = ('script', 'canvas', 'style', 'abbr', 'frame', 'iframe', 'html', 'body', 'hr') @@ -166,6 +167,9 @@ def dangerousMarkup(content: str) -> bool: if '>' not in markup: continue markup = markup.split('>')[0].strip() + for partialMatch in invalidPartials: + if partialMatch in markup: + return True if ' ' not in markup: for badStr in invalidStrings: if badStr in markup: diff --git a/tests.py b/tests.py index f835378c0..0431387a0 100644 --- a/tests.py +++ b/tests.py @@ -1943,32 +1943,52 @@ def testDangerousMarkup(): print('testDangerousMarkup') content = '
This is a valid message
' assert(not dangerousMarkup(content)) + content = 'This is a valid message without markup' assert(not dangerousMarkup(content)) + content = 'This is a valid-looking message. But wait... ' + \ '
' assert(dangerousMarkup(content)) + content = 'This is a valid-looking message. But wait... ' + \ '
' assert(dangerousMarkup(content)) + content = 'This message embeds an evil frame.' + \ '
' assert(dangerousMarkup(content)) + content = 'This message tries to obfuscate an evil frame.' + \ '< iframe src = "somesite"> iframe >
' assert(dangerousMarkup(content)) + content = 'This message is not necessarily evil, but annoying.' + \ '
This message contans a ' + \ 'valid link.
' assert(not dangerousMarkup(content)) + content = 'This message contans a ' + \ '' + \ 'valid link having invalid but harmless name.
' assert(not dangerousMarkup(content)) + content = 'This message which ' + \ + 'tries to access the local network
' + assert(dangerousMarkup(content)) + + content = 'This message which ' + \ + 'tries to access the local network
' + assert(dangerousMarkup(content)) + + content = '127.0.0.1 This message which does not access ' + \ + 'the local network
' + assert(not dangerousMarkup(content)) + def runHtmlReplaceQuoteMarks(): print('htmlReplaceQuoteMarks')