This should fix a security problem reported by Kousuke Ebihara. Thanks

[osqa.git] / forum / utils / html.py

diff --git a/forum/utils/html.py b/forum/utils/html.py
index cab52a4252ecd666dc5c9e06958a5f0300cde9bc..256a2d8ce2b2e67857523cd94c93d66c059d92a9 100644 (file)
--- a/forum/utils/html.py
+++ b/forum/utils/html.py
@@ -1,9 +1,10 @@
 """Utilities for working with HTML."""
-import html5lib
-from html5lib import sanitizer, serializer, tokenizer, treebuilders, treewalkers
+#import html5lib
+from html5lib import sanitizer, serializer, tokenizer, treebuilders, treewalkers, HTMLParser
+from urllib import quote_plus
 from django.utils.html import strip_tags
 from forum.utils.html2text import HTML2Text
-from django.template import mark_safe
+from django.utils.safestring import mark_safe
 from forum import settings
 
 class HTMLSanitizerMixin(sanitizer.HTMLSanitizerMixin):
@@ -39,7 +40,7 @@ class HTMLSanitizer(tokenizer.HTMLTokenizer, HTMLSanitizerMixin):
 
 def sanitize_html(html):
     """Sanitizes an HTML fragment."""
-    p = html5lib.HTMLParser(tokenizer=HTMLSanitizer,
+    p = HTMLParser(tokenizer=HTMLSanitizer,
                             tree=treebuilders.getTreeBuilder("dom"))
     dom_tree = p.parseFragment(html)
     walker = treewalkers.getTreeWalker("dom")
@@ -50,7 +51,7 @@ def sanitize_html(html):
     return u''.join(output_generator)
 
 def cleanup_urls(url):
-    return strip_tags(url)
+    return quote_plus(strip_tags(url))
 
 
 def html2text(s, ignore_tags=(), indent_width=4, page_width=80):