B 1dU @sddlmZddlZddlZddlmZddlmZddlmZe dZ ddgdgdgd Z e d Z d d d eeddeddeddDZededejZdZGdddeZGdddZddZGdddejZdS))chainN)unescape) html5lib_shim) parse_shim) aabbracronymbZ blockquotecodeZemiZliolstrongZulhreftitle)rrr)httphttpsmailtocCsg|] }t|qS)chr).0crr]/work/yifan.wang/ringdown/master-ringdown-env/lib/python3.7/site-packages/bleach/sanitizer.py *sr  []?c@s eZdZdS)NoCssSanitizerWarningN)__name__ __module__ __qualname__rrrrr"5sr"c@s0eZdZdZeeeddddfddZddZdS) CleaneraCleaner for cleaning HTML fragments of malicious content This cleaner is a security-focused function whose sole purpose is to remove malicious content from a string such that it can be displayed as content in a web page. To use:: from bleach.sanitizer import Cleaner cleaner = Cleaner() for text in all_the_yucky_things: sanitized = cleaner.clean(text) .. Note:: This cleaner is not designed to use to transform content to be used in non-web-page contexts. .. Warning:: This cleaner is not thread-safe--the html parser has internal state. Create a separate cleaner per thread! FTNc Cs||_||_||_||_||_|p$g|_||_tj|j|jddd|_ t d|_ tj ddddddd|_ |dkrg}t|tr|}n8t|trg}x(|D]} t| ttfr|| qWd|krtjd td dS) a:Initializes a Cleaner :arg set tags: set of allowed tags; defaults to ``bleach.sanitizer.ALLOWED_TAGS`` :arg dict attributes: allowed attributes; can be a callable, list or dict; defaults to ``bleach.sanitizer.ALLOWED_ATTRIBUTES`` :arg list protocols: allowed list of protocols for links; defaults to ``bleach.sanitizer.ALLOWED_PROTOCOLS`` :arg bool strip: whether or not to strip disallowed elements :arg bool strip_comments: whether or not to strip HTML comments :arg list filters: list of html5lib Filter classes to pass streamed content through .. seealso:: http://html5lib.readthedocs.io/en/latest/movingparts.html#filters .. Warning:: Using filters changes the output of ``bleach.Cleaner.clean``. Make sure the way the filters change the output are secure. :arg CSSSanitizer css_sanitizer: instance with a "sanitize_css" method for sanitizing style attribute values and style text; defaults to None F)tagsstripZconsume_entitiesZnamespaceHTMLElementsetreealwaysT)Zquote_attr_valuesZomit_optional_tagsZescape_lt_in_attrsZresolve_entitiessanitizeZalphabetical_attributesNstylez7'style' attribute specified, but css_sanitizer not set.)category)r' attributes protocolsr(strip_commentsfilters css_sanitizerrZBleachHTMLParserparserZ getTreeWalkerwalkerZBleachHTMLSerializer serializer isinstancelistdictvaluestupleextendwarningswarnr") selfr'r.r/r(r0r1r2Zattributes_valuesr9rrr__init__VsB&      zCleaner.__init__c Cst|ts&d|jjdd}t||s.dS|j|}t|||j |j |j |j |j |jd}x|jD]}||d}qjW|j|S)zCleans text and returns sanitized result as unicode :arg str text: text to be cleaned :returns: sanitized text as unicode :raises TypeError: if ``text`` is not a text type zargument cannot be of z type, zmust be of text typer)source allowed_tagsr.strip_disallowed_tagsstrip_html_commentsr2allowed_protocols)r@)r6str __class__r# TypeErrorr3Z parseFragmentBleachSanitizerFilterr4r'r.r(r0r2r/r1r5render)r>textmessagedomfilteredZ filter_classrrrcleans$    z Cleaner.clean) r#r$r%__doc__ ALLOWED_TAGSALLOWED_ATTRIBUTESALLOWED_PROTOCOLSr?rNrrrrr&9s Mr&csLtr Sttr&fdd}|Sttr@fdd}|StddS)a0Generates attribute filter function for the given attributes value The attributes value can take one of several shapes. This returns a filter function appropriate to the attributes value. One nice thing about this is that there's less if/then shenanigans in the ``allow_token`` method. cs`|kr0|}t|r$||||S||kr0dSdkr\d}t|rT||||S||kSdS)NT*F)callable)tagattrvalueZattr_val)r.rr _attr_filters  z.attribute_filter_factory.._attr_filtercs|kS)Nr)rUrVrW)r.rrrXsz3attributes needs to be a callable, a list or a dictN)rTr6r8r7 ValueError)r.rXr)r.rattribute_filter_factorys    rZc @sreZdZdZeeeejej ej dddf ddZ ddZ d d Z d d Zd dZddZddZddZddZdS)rHzmhtml5lib Filter that sanitizes text This filter can be used anywhere html5lib filters can be used. FTNc CsTtj||t||_t||_t||_||_| |_ ||_ ||_ | |_ ||_ dS)a_Creates a BleachSanitizerFilter instance :arg source: html5lib TreeWalker stream as an html5lib TreeWalker :arg set allowed_tags: set of allowed tags; defaults to ``bleach.sanitizer.ALLOWED_TAGS`` :arg dict attributes: allowed attributes; can be a callable, list or dict; defaults to ``bleach.sanitizer.ALLOWED_ATTRIBUTES`` :arg list allowed_protocols: allowed list of protocols for links; defaults to ``bleach.sanitizer.ALLOWED_PROTOCOLS`` :arg attr_val_is_uri: set of attributes that have URI values :arg svg_attr_val_allows_ref: set of SVG attributes that can have references :arg svg_allow_local_href: set of SVG elements that can have local hrefs :arg bool strip_disallowed_tags: whether or not to strip disallowed tags :arg bool strip_html_comments: whether or not to strip HTML comments :arg CSSSanitizer css_sanitizer: instance with a "sanitize_css" method for sanitizing style attribute values and style text; defaults to None N)rFilterr? frozensetrArDrZ attr_filterrBrCattr_val_is_urisvg_attr_val_allows_refr2svg_allow_local_href) r>r@rAr.rDr^r_r`rBrCr2rrrr?s0   zBleachSanitizerFilter.__init__ccs>x8|D]0}||}|sqt|tr0|EdHq|VqWdS)N)sanitize_tokenr6r7)r>token_iteratortokenretrrrsanitize_streamAs    z%BleachSanitizerFilter.sanitize_streamccsg}xn|D]f}|rR|ddkr,||q qjddd|Ddd}g}|Vn|ddkrj||q |Vq Wddd|Ddd}|VdS) z/Merge consecutive Characters tokens in a streamtype CharactersrcSsg|] }|dqS)datar)r char_tokenrrrr[sz:BleachSanitizerFilter.merge_characters..)rhrfcSsg|] }|dqS)rhr)rrirrrrisN)appendjoin)r>rbZcharacters_bufferrcZ new_tokenrrrmerge_charactersMs$      z&BleachSanitizerFilter.merge_characterscCs||tj|S)N)rlrerr[__iter__)r>rrrrmnszBleachSanitizerFilter.__iter__cCs|d}|dkr>|d|jkr(||S|jr2dS||SnJ|dkrr|jsltj|dddd d |d<|SdSn|d kr||S|SdS) aSanitize a token either by HTML-encoding or dropping. Unlike sanitizer.Filter, allowed_attributes can be a dict of {'tag': ['attribute', 'pairs'], 'tag': callable}. Here callable is a function with two arguments of attribute name and value. It should return true of false. Also gives the option to strip tags instead of encoding. :arg dict token: token to sanitize :returns: token or list of tokens rf)StartTagEndTagEmptyTagnameNCommentrhz"z')"')entitiesrg)rA allow_tokenrBdisallowed_tokenrCrescapesanitize_characters)r>rc token_typerrrrass    z$BleachSanitizerFilter.sanitize_tokencCs|dd}|s|Stt|}||d<d|kr4|Sg}xt|D]}|sNqD|drt|}|dk r|dkr|dddn|d|d |t |d d}|rD|d|dqD|d|dqDW|S) aHandles Characters tokens Our overridden tokenizer doesn't do anything with entities. However, that means that the serializer will convert all ``&`` in Characters tokens to ``&``. Since we don't want that, we extract entities here and convert them to Entity tokens so the serializer will let them be. :arg token: the Characters token to work on :returns: a list of tokens rhr&Namprg)rfrhEntity)rfrq) getINVISIBLE_CHARACTERS_REsubINVISIBLE_REPLACEMENT_CHARrZnext_possible_entity startswithZ match_entityrjlen)r>rcrhZ new_tokenspartentity remainderrrrrys.    z)BleachSanitizerFilter.sanitize_characterscCst|}tdd|}|dd}|}yt|}Wntk rNdSX|j rf|j |kr|Sn@| drt|Sd|kr| dd|kr|Sd|ksd |kr|SdS) zChecks a uri value to see if it's allowed :arg value: the uri value to sanitize :arg allowed_protocols: list of allowed protocols :returns: allowed value or None z[`\000-\040\177-\240\s]+ru�N#:rrr) rZconvert_entitiesrerreplacelowerrurlparserYschemersplit)r>rWrDZnormalized_uriparsedrrrsanitize_uri_values&    z(BleachSanitizerFilter.sanitize_uri_valuec Csd|kri}x|dD]\}}|\}}||d||s>q||jkrd|||j}|dkr`q|}||jkrtddt|}| }|sqn|}d|df|j kr|dt j ddfgkrt d |rq|d kr|jr|j|}nd }|||<qW||d<|S) z-Handles the case where we're allowing the tagrhrqNzurl\s*\(\s*[^#\s][^)]+?\) )NrZxlinkrz ^\s*[^#\s])Nr,r)itemsr]r^rrDr_rrrr(r`r namespacessearchr2Z sanitize_css) r>rcattrsnamespaced_nameval namespacerq new_valuenew_valrrrrvs<    z!BleachSanitizerFilter.allow_tokencCs|d}|dkr&d|dd|d<n|dr|dks:tg}xr|dD]b\\}}}|rj|sj||}}|dks||tjkr|}ntj|d|}|d |d |d qLWd |dd |d|d<nd |dd|d<|dr |dddd|d<d|d<|d=|S)Nrfrozrh)rnrprrz="rsrg)AssertionErrorrrprefixesrjrkr)r>rcrzrnsrqvrrrrrwZs(    z&BleachSanitizerFilter.disallowed_token)r#r$r%rOrPrQrRrr^r_r`r?rerlrmraryrrvrwrrrrrHs$ 3 !+=:ErH) itertoolsrrr<Zxml.sax.saxutilsrZbleachrrr\rPrQrRrkrangeZINVISIBLE_CHARACTERScompileUNICODErr UserWarningr"r&rZZSanitizerFilterrHrrrrs(     *+