From 6eba45631910631e534e9971d783a10f238ac466 Mon Sep 17 00:00:00 2001
From: helmutm <helmutm@fd906abe-77d9-0310-91a1-e0d9ade77398>
Date: Fri, 9 Oct 2009 09:04:21 +0000
Subject: [PATCH] HTML sanitizing: allow specification of parts of style names

git-svn-id: svn://svn.cy55.de/Zope3/src/cybertools/trunk@3573 fd906abe-77d9-0310-91a1-e0d9ade77398
---
 util/html.py | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/util/html.py b/util/html.py
index 79bd6ec..ae52a8b 100644
--- a/util/html.py
+++ b/util/html.py
@@ -24,13 +24,13 @@ $Id$
 
 from cybertools.text.lib.BeautifulSoup import BeautifulSoup, Comment
 
-#validTags = 'p i strong b u a h1 h2 h3 img pre br'.split()
-validTags = 'b br div em font h1 h2 h3 i p pre span strong table td tr u'.split()
+validTags = ('b br div em font h1 h2 h3 i li ol p pre span strong '
+             'table td tr u ul').split()
 
-#validAttrs = 'href src'.split()
 validAttrs = 'class style'.split()
 
 validStyles = 'font-style font-weight'.split()
+validStyleParts = 'border padding'.split()
 
 
 def sanitize(value, validTags=validTags, validAttrs=validAttrs,
@@ -43,6 +43,7 @@ def sanitize(value, validTags=validTags, validAttrs=validAttrs,
             tag.hidden = True
         attrs = []
         for attr, val in tag.attrs:
+            attr = attr.lower()
             if attr not in validAttrs:
                 continue
             if attr == 'style':
@@ -58,6 +59,15 @@ def sanitizeStyle(value, validStyles=validStyles):
     for item in value.split(';'):
         if ':' in item:
             k, v = item.split(':')
-            if k.strip() in validStyles:
+            if checkStyle(k):
                 result.append(item.strip())
     return '; '.join(result)
+
+def checkStyle(k):
+    k = k.strip().lower()
+    if k in validStyles:
+        return True
+    for name in validStyleParts:
+        if k.startswith(name):
+            return True
+    return False