Allow bootstrap data attributes through the HTML sanitizer (#1553)

* Allow bootstrap data attributes through the HTML sanitizer
2025-12-17 14:04:20 +01:00 · 2020-07-19 17:19:33 -04:00
parent e5d6d8b36c
commit 421dfc169a
1 changed files with 35 additions and 1 deletions
--- a/CTFd/utils/security/sanitize.py
+++ b/CTFd/utils/security/sanitize.py
@@ -12,7 +12,41 @@ cleaner = Cleaner(
    links=False,
    meta=False,
    style=False,
-    safe_attrs=(safe_attrs | set(["style"])),
+    safe_attrs=(
        safe_attrs
        | set(
            [
                "style",
                # Allow data attributes from bootstrap elements
                "data-toggle",
                "data-target",
                "data-dismiss",
                "data-spy",
                "data-offset",
                "data-html",
                "data-placement",
                "data-parent",
                "data-title",
                "data-template",
                "data-interval",
                "data-keyboard",
                "data-pause",
                "data-ride",
                "data-wrap",
                "data-touch",
                "data-flip",
                "data-boundary",
                "data-reference",
                "data-display",
                "data-animation",
                "data-container",
                "data-delay",
                "data-selector",
                "data-content",
                "data-trigger",
            ]
        )
    ),
    annoying_tags=False,
 )