I don't know how XML function works, let me see your upload form code
and any html output of myXML
On 1 jul, 18:32, MikeEllis <michael.f.el...@gmail.com> wrote:
> I'm developing an app that needs to allow users to create and view
> content that includes links, images, and embedded video, e.g. from
> YouTube. The following wrapper for the XML function seems the minimum
> set that will do the job, but I'm concerned about XSS attacks.
>
> def myXML(text):
> return XML(text, sanitize=True,
> permitted_tags=['a', 'b', 'blockquote', 'br/', 'i', 'li',
> 'ol', 'ul', 'p', 'cite', 'code', 'pre',
> 'img/','object','embed'],
> allowed_attributes={'a':['href', 'title'],
> 'img':['src', 'alt'], 'blockquote':['type'],
> 'object':['height','width'],
> 'embed':['allowfullscreen','src','type'],
> })
>
> Any suggestions from the security experts in the community?
>
> Thanks,
> Mike
