Allow bootstrap data attributes through the HTML sanitizer (#1553)

* Allow bootstrap data attributes through the HTML sanitizer
2025-12-17 14:04:20 +01:00 · 2020-07-19 17:19:33 -04:00
parent e5d6d8b36c
commit 421dfc169a
1 changed files with 35 additions and 1 deletions
--- a/CTFd/utils/security/sanitize.py
+++ b/CTFd/utils/security/sanitize.py
@@ -12,7 +12,41 @@ cleaner = Cleaner(
    links=False,
    meta=False,
    style=False,
-    safe_attrs=(safe_attrs | set(["style"])),
+    safe_attrs=(
+        safe_attrs
+        | set(
+            [
+                "style",
+                # Allow data attributes from bootstrap elements
+                "data-toggle",
+                "data-target",
+                "data-dismiss",
+                "data-spy",
+                "data-offset",
+                "data-html",
+                "data-placement",
+                "data-parent",
+                "data-title",
+                "data-template",
+                "data-interval",
+                "data-keyboard",
+                "data-pause",
+                "data-ride",
+                "data-wrap",
+                "data-touch",
+                "data-flip",
+                "data-boundary",
+                "data-reference",
+                "data-display",
+                "data-animation",
+                "data-container",
+                "data-delay",
+                "data-selector",
+                "data-content",
+                "data-trigger",
+            ]
+        )
+    ),
    annoying_tags=False,
 )