I'm developing an app that needs to allow users to create and view
content that includes links, images, and embedded video, e.g. from
YouTube. The following wrapper for the XML function seems the minimum
set that will do the job, but I'm concerned about XSS attacks.
def myXML(text):
return XML(text, sanitize=True,
permitted_tags=['a', 'b', 'blockquote', 'br/', 'i', 'li',
'ol', 'ul', 'p', 'cite', 'code', 'pre',
'img/','object','embed'],
allowed_attributes={'a':['href', 'title'],
'img':['src', 'alt'], 'blockquote':['type'],
'object':['height','width'],
'embed':['allowfullscreen','src','type'],
})
Any suggestions from the security experts in the community?
Thanks,
Mike
