B 03\Q @sddlmZddlmZddlZddlZddlmZddlm Z ddl m Z ddl m Z mZdd d d d d ddddddg ZddgdgdgdZgZdddgZdddeeddedded d!DZed"ed#ejZd$ZGd%d&d&eZd'd(ZGd)d*d*e jZdS)+)unicode_literals)chainN)urlparse)unescape) html5lib_shim)alphabetize_attributes force_unicodeaabbracronymbZ blockquotecodeZemiZliZolZstrongZulhreftitle)r r r httpZhttpsZmailtocCsg|] }t|qS)chr).0crr/lib/python3.7/site-packages/bleach/sanitizer.py -sr  []?c@s0eZdZdZeeeedddfddZddZ dS) CleaneraCleaner for cleaning HTML fragments of malicious content This cleaner is a security-focused function whose sole purpose is to remove malicious content from a string such that it can be displayed as content in a web page. To use:: from bleach.sanitizer import Cleaner cleaner = Cleaner() for text in all_the_yucky_things: sanitized = cleaner.clean(text) .. Note:: This cleaner is not designed to use to transform content to be used in non-web-page contexts. .. Warning:: This cleaner is not thread-safe--the html parser has internal state. Create a separate cleaner per thread! FTNcCsn||_||_||_||_||_||_|p*g|_tj|j|jddd|_ t d|_ tj ddddddd|_ dS)a Initializes a Cleaner :arg list tags: allowed list of tags; defaults to ``bleach.sanitizer.ALLOWED_TAGS`` :arg dict attributes: allowed attributes; can be a callable, list or dict; defaults to ``bleach.sanitizer.ALLOWED_ATTRIBUTES`` :arg list styles: allowed list of css styles; defaults to ``bleach.sanitizer.ALLOWED_STYLES`` :arg list protocols: allowed list of protocols for links; defaults to ``bleach.sanitizer.ALLOWED_PROTOCOLS`` :arg bool strip: whether or not to strip disallowed elements :arg bool strip_comments: whether or not to strip HTML comments :arg list filters: list of html5lib Filter classes to pass streamed content through .. seealso:: http://html5lib.readthedocs.io/en/latest/movingparts.html#filters .. Warning:: Using filters changes the output of ``bleach.Cleaner.clean``. Make sure the way the filters change the output are secure. F)tagsstripZconsume_entitiesZnamespaceHTMLElementsZetreealwaysT)Zquote_attr_valuesZomit_optional_tagsZescape_lt_in_attrsZresolve_entitiesZsanitizeZalphabetical_attributesN)r" attributesstyles protocolsr#strip_commentsfiltersrZBleachHTMLParserparserZ getTreeWalkerwalkerZBleachHTMLSerializer serializer)selfr"r%r&r'r#r(r)rrr__init__Ws(   zCleaner.__init__c Cst|tjs$dj|jjd}t||s,dSt|}|j |}t | ||j |j |j|j|j|jgd}x|jD]}||d}qrW|j|S)zCleans text and returns sanitized result as unicode :arg str text: text to be cleaned :returns: sanitized text as unicode :raises TypeError: if ``text`` is not a text type z9argument cannot be of '{name}' type, must be of text type)namer)sourcer%strip_disallowed_elementsstrip_html_commentsallowed_elementsallowed_css_propertiesallowed_protocolsallowed_svg_properties)r0) isinstancesixZ string_typesformat __class____name__ TypeErrorrr*Z parseFragmentBleachSanitizerFilterr+r%r#r(r"r&r'r)r,Zrender)r-textmessageZdomZfilteredZ filter_classrrrcleans(    z Cleaner.clean) r; __module__ __qualname____doc__ ALLOWED_TAGSALLOWED_ATTRIBUTESALLOWED_STYLESALLOWED_PROTOCOLSr.r@rrrrr!:s ._attr_filtercs|kS)Nr)rJrKrL)r%rrrMsz3attributes needs to be a callable, a list or a dictN)rIr7dictlist ValueError)r%rMr)r%rattribute_filter_factorys    rQcspeZdZdZeddffdd ZddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ ddZZS)r=zmhtml5lib Filter that sanitizes text This filter can be used anywhere html5lib filters can be used. FTc s*t||_||_||_tt|j|f|S)aCreates a BleachSanitizerFilter instance :arg Treewalker source: stream :arg list tags: allowed list of tags; defaults to ``bleach.sanitizer.ALLOWED_TAGS`` :arg dict attributes: allowed attributes; can be a callable, list or dict; defaults to ``bleach.sanitizer.ALLOWED_ATTRIBUTES`` :arg list styles: allowed list of css styles; defaults to ``bleach.sanitizer.ALLOWED_STYLES`` :arg list protocols: allowed list of protocols for links; defaults to ``bleach.sanitizer.ALLOWED_PROTOCOLS`` :arg bool strip_disallowed_elements: whether or not to strip disallowed elements :arg bool strip_html_comments: whether or not to strip HTML comments )rQ attr_filterr1r2superr=r.)r-r0r%r1r2kwargs)r:rrr.s zBleachSanitizerFilter.__init__ccsHxB|D]:}||}|sqt|tr:x|D] }|Vq*Wq|VqWdS)N)sanitize_tokenr7rO)r-token_iteratortokenZretZsubtokenrrrsanitize_streams     z%BleachSanitizerFilter.sanitize_streamccsg}xn|D]f}|rR|ddkr,||q qjddd|Ddd}g}|Vn|ddkrj||q |Vq Wddd|Ddd}|VdS) z/Merge consecutive Characters tokens in a streamtype CharactersrcSsg|] }|dqS)datar)r char_tokenrrrr(sz:BleachSanitizerFilter.merge_characters..)r[rYcSsg|] }|dqS)r[r)rr\rrrr5sN)appendjoin)r-rVZcharacters_bufferrWZ new_tokenrrrmerge_characterss"      z&BleachSanitizerFilter.merge_characterscCs||tj|S)N)r_rXrZFilter__iter__)r-rrrr`:szBleachSanitizerFilter.__iter__cCs|d}|dkrV|d|jkr(||S|jr2dSd|krJt|d|d<||Sn.|dkrn|jsh|SdSn|dkr||S|SdS)aSanitize a token either by HTML-encoding or dropping. Unlike sanitizer.Filter, allowed_attributes can be a dict of {'tag': ['attribute', 'pairs'], 'tag': callable}. Here callable is a function with two arguments of attribute name and value. It should return true of false. Also gives the option to strip tags instead of encoding. :arg dict token: token to sanitize :returns: token or list of tokens rY)StartTagEndTagEmptyTagr/Nr[CommentrZ)r3 allow_tokenr1rdisallowed_tokenr2sanitize_characters)r-rW token_typerrrrU=s    z$BleachSanitizerFilter.sanitize_tokencCs|dd}|s|Stt|}||d<d|kr4|Sg}xt|D]}|sNqD|drt|}|dk r|dkr|dddn|d|d |t |d d}|rD|d|dqD|d|dqDW|S) aHandles Characters tokens Our overridden tokenizer doesn't do anything with entities. However, that means that the serializer will convert all ``&`` in Characters tokens to ``&``. Since we don't want that, we extract entities here and convert them to Entity tokens so the serializer will let them be. :arg token: the Characters token to work on :returns: a list of tokens r[r&NZamprZ)rYr[ZEntity)rYr/) getINVISIBLE_CHARACTERS_REsubINVISIBLE_REPLACEMENT_CHARrZnext_possible_entity startswithZ match_entityr]len)r-rWr[Z new_tokenspartZentityZ remainderrrrrghs.    z)BleachSanitizerFilter.sanitize_characterscCst|}tdd|}|dd}|}y t|}Wntk rLdSX|jrd|j|kr|Sn8| drr|Sd|kr| dd|kr|Sd|kr|SdS) zChecks a uri value to see if it's allowed :arg value: the uri value to sanitize :arg allowed_protocols: list of allowed protocols :returns: allowed value or None z[`\000-\040\177-\240\s]+ru�N#:rr) rconvert_entitiesrermreplacelowerrrPZschemerosplit)r-rLr5 new_valueZparsedrrrsanitize_uri_values*     z(BleachSanitizerFilter.sanitize_uri_valuec Csd|kri}x|dD]\}}|\}}||d||s>q||jkrd|||j}|dkr`q|}||jkrtddt|}| }|sqn|}d|df|j kr|dt j ddfgkrt d |rq|d kr||}|||<qWt||d<|S) z-Handles the case where we're allowing the tagr[r/Nzurl\s*\(\s*[^#\s][^)]+?\) )NrZxlinkrz ^\s*[^#\s])Nstyle)itemsrRZattr_val_is_urirzr5Zsvg_attr_val_allows_refrurmrr#Zsvg_allow_local_hrefrZ namespacessearch sanitize_cssr) r-rWattrsnamespaced_nameval namespacer/ryZnew_valrrrres:       z!BleachSanitizerFilter.allow_tokencCs|d}|dkr"d|d|d<n|dr|dks6tg}xj|dD]Z\\}}}|rf|sf||}}|dksx|tjkr~|}ndtj||f}|d||fqHWd |dd |f|d<nd |d|d<|d r|ddd d|d<d|d<|d=|S)NrYrbzr/r[)rarcz%s:%sz %s="%s"z<%s%s>rz<%s>Z selfClosingz/>rZ)AssertionErrorr}rprefixesr]r^rk)r-rWrhrnsr/vrrrrrfs,   z&BleachSanitizerFilter.disallowed_tokencCst|}tdd|}|d}td}x|D]}||s6dSq6Wtd|s\dSg}xhtd|D]X\}}|s|qn||j kr| |d|dqn||j krn| |d|dqnWd |S) zSanitizes css in style tagszurl\s*\(\s*[^\s)]+?\s*\)\s*r{;zI^([-/:,#%.'"\sa-zA-Z0-9!]|\w-\w|'[\s\w]+'\s*|"[\s\w]+"|\([\d,%\.\s]+\))*$rz ^\s*([-\w]+\s*:[^:;]*(;\s*|$))*$z([-\w]+)\s*:\s*([^:;]*)z: ) rrtrucompilermrxmatchfindallrwr4r]r6r^)r-r|partsZgauntletrqr@ZproprLrrrrFs&     z"BleachSanitizerFilter.sanitize_css)r;rArBrCrEr.rXr_r`rUrgrzrerfr __classcell__rr)r:rr=s +=;=)r=)Z __future__r itertoolsrrur8Zsix.moves.urllib.parserZxml.sax.saxutilsrZbleachrZ bleach.utilsrrrDrErFrGr^rangeZINVISIBLE_CHARACTERSrUNICODErlrnobjectr!rQZSanitizerFilterr=rrrrsB       . )