Allow data: to not be part of sanitizer’s allowed protocols

charmander · web-flow · commit e4757eba1ad0 · 2019-02-21T03:08:27.000Z
When `data:` wasn’t permitted, it could attempt to `del attrs[attr]` twice.
diff --git a/html5lib/filters/sanitizer.py b/html5lib/filters/sanitizer.py
@@ -825,7 +825,7 @@ def allowed_token(self, token):
                 if uri and uri.scheme:
                     if uri.scheme not in self.allowed_protocols:
                         del attrs[attr]
-                    if uri.scheme == 'data':
+                    elif uri.scheme == 'data':
                         m = data_content_type.match(uri.path)
                         if not m:
                             del attrs[attr]
