티스토리 수익 글 보기
ARIA attributes should be considered safe
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| lxml |
Confirmed
|
Low
|
Unassigned | ||
Bug Description
Note: Although lxml.html.clean is no longer part of lxml, defs.safe_attrs, which is involved with the problem, still seems to be in lxml.
## The issue
Currently, lxml.html.
This behavior causes sanitized HTML to lose semantic meaning for assistive technologies (screen readers), making the output non-compliant with WCAG standards.
## Reproduction
“`py
from lxml.html.clean import Cleaner
cleaner = Cleaner() # Default settings
html_input = '<div role="alert" aria-live=
# Current Behavior:
# Output: <div>Error message</div>
print(cleaner.
# Desired Behavior:
# Output: <div role="alert" aria-live=
“`
## Fix
I have prepared a patch that adds ARIA attributes to the default allowed attributes list: https:/
This change ensures that developers using lxml for sanitization do not accidentally strip accessibility features while maintaining protection against XSS.
## — PLEASE PROVIDE THE FOLLOWING INFORMATION: —
Python : sys.version_
lxml.etree : (5, 2, 1, 0)
libxml used : (2, 9, 14)
libxml compiled : (2, 9, 14)
libxslt used : (1, 1, 35)
libxslt compiled : (1, 1, 35)
| scoder (scoder) wrote | #1 |
| Changed in lxml: | |
| importance: | Undecided → Low |
| milestone: | none → 7.0 |
| status: | New → Confirmed |
Other bug subscribers
Remote bug watches
Bug watches keep track of this bug in other bug trackers.
Your change looks good to me, with one little comment that I wrote over there, regarding end of list formatting to keep a nicer diff on further extension.
Could you send a PR for it?