Remove replacement characters before looking for forbidden URI schemes in attributes

jgraham · jgraham · commit dc7a9d3fbaf3 · 2009-09-09T22:48:48.000+02:00
diff --git a/src/html5lib/sanitizer.py b/src/html5lib/sanitizer.py
@@ -152,6 +152,8 @@ def sanitize_token(self, token):
                             continue
                         val_unescaped = re.sub("[`\000-\040\177-\240\s]+", '',
                                                unescape(attrs[attr])).lower()
+                        #remove replacement characters from unescaped characters
+                        val_unescaped = val_unescaped.replace(u"\ufffd", "")
                         if (re.match("^[a-z0-9][-+.a-z0-9]*:",val_unescaped) and
                             (val_unescaped.split(':')[0] not in 
                              self.allowed_protocols)):
