id	summary	reporter	owner	description	type	status	priority	milestone	component	resolution	keywords	cc	parents
92	Need a util.html_cleaner() method with good tests	Christopher Allan Webber		"{{{
#!rst
There's no way around it, we're going to need a good sanitizer for
comment/description/etc html **regardless** of
`whether or not we use markdown <http://bugs.foocorp.net/issues/363#note-5>`_
... so I think the html cleaner should:


-  use
   `lxml.html.clean <http://lxml.de/lxmlhtml.html#cleaning-up-html>`_
-  Use **only whitelisted tags**... this is possible through lxml,
   we need to do it right. Tags I think we'll need to allow: b, i, em,
   strong, p, ul, ol, li, a, br. (any others?)
-  Only whitelisted attributes
-  XSS attribute attack prevention, other XSS prevention stuff...
   see the lxml.html.clean docs.
-  have tests that try to attack each one of these components.

In the future it might be a good idea to also prevent certain other
annoying things... deeply nested

.. raw:: html

   <p>
   
's, etc. But for now I think this will be good enough.



}}}"	defect	closed	minor	0.0.3	programming	FIXED