From 10ec1b4e9f93713513a3264ed6158af22492f270 Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@nyu.edu>
Date: Sat, 20 Mar 2021 02:49:25 -0400
Subject: [PATCH 1/2] Add formaction attribute to defs.link_attrs

---
 src/lxml/html/defs.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/lxml/html/defs.py b/src/lxml/html/defs.py
index 1b3a75b36..2058ea330 100644
--- a/src/lxml/html/defs.py
+++ b/src/lxml/html/defs.py
@@ -23,6 +23,8 @@
     'usemap',
     # Not standard:
     'dynsrc', 'lowsrc',
+    # HTML5 formaction
+    'formaction'
     ])
 
 # Not in the HTML 4 spec:

From b16ceb72d4e2f7f2c5607b0d2a024965380fe180 Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@nyu.edu>
Date: Sat, 20 Mar 2021 03:44:13 -0400
Subject: [PATCH 2/2] Add a test

---
 src/lxml/html/tests/test_clean.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/lxml/html/tests/test_clean.py b/src/lxml/html/tests/test_clean.py
index 0e669f98d..45c2e83ab 100644
--- a/src/lxml/html/tests/test_clean.py
+++ b/src/lxml/html/tests/test_clean.py
@@ -123,6 +123,21 @@ def test_sneaky_js_in_math_style(self):
             b'<math><style>/* deleted */</style></math>',
             lxml.html.tostring(clean_html(s)))
 
+    def test_formaction_attribute_in_button_input(self):
+        # The formaction attribute overrides the form's action and should be
+        # treated as a malicious link attribute
+        html = ('<form id="test"><input type="submit" formaction="javascript:alert(1)"></form>'
+        '<button form="test" formaction="javascript:alert(1)">X</button>')
+        expected = ('<div><form id="test"><input type="submit" formaction=""></form>'
+        '<button form="test" formaction="">X</button></div>')
+        cleaner = Cleaner(
+            forms=False,
+            safe_attrs_only=False,
+        )
+        self.assertEqual(
+            expected,
+            cleaner.clean_html(html))
+
 
 def test_suite():
     suite = unittest.TestSuite()