When URLs are invalid IPv6 URLs drop the attr rather than error

dstufft · dstufft · commit 29526c56ec93 · 2015-09-07T12:11:23.000-04:00
diff --git a/html5lib/sanitizer.py b/html5lib/sanitizer.py
@@ -207,7 +207,11 @@ def allowed_token(self, token, token_type):
                                        unescape(attrs[attr])).lower()
                 # remove replacement characters from unescaped characters
                 val_unescaped = val_unescaped.replace("\ufffd", "")
-                uri = urlparse.urlparse(val_unescaped)
+                try:
+                    uri = urlparse.urlparse(val_unescaped)
+                except ValueError:
+                    uri = None
+                    del attrs[attr]
                 if uri and uri.scheme:
                     if uri.scheme not in self.allowed_protocols:
                         del attrs[attr]
diff --git a/html5lib/tests/test_sanitizer.py b/html5lib/tests/test_sanitizer.py
@@ -113,6 +113,11 @@ def test_sanitizer():
            "<audio controls=\"\" src=\"data:foobar\"></audio>",
            toxml)
 
+    yield (runSanitizerTest, "test_invalid_ipv6_url",
+           "<a>",
+           "<a href=\"h://]\">",
+           toxml)
+
     yield (runSanitizerTest, "test_data_uri_disallowed_type",
            "<audio controls=\"\"></audio>",
            "<audio controls=\"\" src=\"data:text/html,<html>\"></audio>",
