Mercurial > genshi > mirror
annotate genshi/filters/html.py @ 724:919809e55d16 experimental-match-fastpaths
update to trunk to track r847, fixing python 2.4 compatibility issues in speedup (and fixing copyrights, apparently :))
author | aflett |
---|---|
date | Mon, 21 Apr 2008 19:36:53 +0000 |
parents | d143dd73789b |
children | 52219748e5c1 62b7d1a058dd |
rev | line source |
---|---|
1 | 1 # -*- coding: utf-8 -*- |
2 # | |
724
919809e55d16
update to trunk to track r847, fixing python 2.4 compatibility issues in speedup (and fixing copyrights, apparently :))
aflett
parents:
718
diff
changeset
|
3 # Copyright (C) 2006-2008 Edgewall Software |
1 | 4 # All rights reserved. |
5 # | |
6 # This software is licensed as described in the file COPYING, which | |
7 # you should have received as part of this distribution. The terms | |
230 | 8 # are also available at http://genshi.edgewall.org/wiki/License. |
1 | 9 # |
10 # This software consists of voluntary contributions made by many | |
11 # individuals. For the exact contribution history, see the revision | |
230 | 12 # history and logs, available at http://genshi.edgewall.org/log/. |
1 | 13 |
14 """Implementation of a number of stream filters.""" | |
15 | |
16 try: | |
718 | 17 set |
1 | 18 except NameError: |
19 from sets import ImmutableSet as frozenset | |
718 | 20 from sets import Set as set |
1 | 21 import re |
22 | |
403
228907abb726
Remove some magic/overhead from `Attrs` creation and manipulation by not automatically wrapping attribute names in `QName`.
cmlenz
parents:
363
diff
changeset
|
23 from genshi.core import Attrs, QName, stripentities |
571
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
24 from genshi.core import END, START, TEXT, COMMENT |
1 | 25 |
363
37e4b4bb0b53
Parse template includes at parse time to avoid some runtime overhead.
cmlenz
parents:
345
diff
changeset
|
26 __all__ = ['HTMLFormFiller', 'HTMLSanitizer'] |
425
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
27 __docformat__ = 'restructuredtext en' |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
28 |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
29 |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
30 class HTMLFormFiller(object): |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
31 """A stream filter that can populate HTML forms from a dictionary of values. |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
32 |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
33 >>> from genshi.input import HTML |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
34 >>> html = HTML('''<form> |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
35 ... <p><input type="text" name="foo" /></p> |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
36 ... </form>''') |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
37 >>> filler = HTMLFormFiller(data={'foo': 'bar'}) |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
38 >>> print html | filler |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
39 <form> |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
40 <p><input type="text" name="foo" value="bar"/></p> |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
41 </form> |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
42 """ |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
43 # TODO: only select the first radio button, and the first select option |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
44 # (if not in a multiple-select) |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
45 # TODO: only apply to elements in the XHTML namespace (or no namespace)? |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
46 |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
47 def __init__(self, name=None, id=None, data=None): |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
48 """Create the filter. |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
49 |
425
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
50 :param name: The name of the form that should be populated. If this |
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
51 parameter is given, only forms where the ``name`` attribute |
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
52 value matches the parameter are processed. |
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
53 :param id: The ID of the form that should be populated. If this |
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
54 parameter is given, only forms where the ``id`` attribute |
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
55 value matches the parameter are processed. |
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
56 :param data: The dictionary of form values, where the keys are the names |
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
57 of the form fields, and the values are the values to fill |
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
58 in. |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
59 """ |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
60 self.name = name |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
61 self.id = id |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
62 if data is None: |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
63 data = {} |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
64 self.data = data |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
65 |
439
9f11c745fac9
Add support for adding custom template filters by passing a custom callback function to the `TemplateLoader`. Closes #89 (see added unit test).
cmlenz
parents:
431
diff
changeset
|
66 def __call__(self, stream): |
277
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
67 """Apply the filter to the given stream. |
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
68 |
425
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
69 :param stream: the markup event stream to filter |
277
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
70 """ |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
71 in_form = in_select = in_option = in_textarea = False |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
72 select_value = option_value = textarea_value = None |
584
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
73 option_start = None |
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
74 option_text = [] |
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
75 no_option_value = False |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
76 |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
77 for kind, data, pos in stream: |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
78 |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
79 if kind is START: |
345 | 80 tag, attrs = data |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
81 tagname = tag.localname |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
82 |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
83 if tagname == 'form' and ( |
345 | 84 self.name and attrs.get('name') == self.name or |
85 self.id and attrs.get('id') == self.id or | |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
86 not (self.id or self.name)): |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
87 in_form = True |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
88 |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
89 elif in_form: |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
90 if tagname == 'input': |
345 | 91 type = attrs.get('type') |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
92 if type in ('checkbox', 'radio'): |
345 | 93 name = attrs.get('name') |
471
76a0ec32835d
The `HTMLFormFiller` stream filter no longer alters form elements for which the data element contains no corresponding item.
cmlenz
parents:
446
diff
changeset
|
94 if name and name in self.data: |
76a0ec32835d
The `HTMLFormFiller` stream filter no longer alters form elements for which the data element contains no corresponding item.
cmlenz
parents:
446
diff
changeset
|
95 value = self.data[name] |
345 | 96 declval = attrs.get('value') |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
97 checked = False |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
98 if isinstance(value, (list, tuple)): |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
99 if declval: |
584
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
100 checked = declval in [unicode(v) for v |
415
b9f9a22484f0
`HTMLFormFiller` now correctly deals with non-string values in the data dictionary for select/checkbox/radio controls.
cmlenz
parents:
408
diff
changeset
|
101 in value] |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
102 else: |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
103 checked = bool(filter(None, value)) |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
104 else: |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
105 if declval: |
584
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
106 checked = declval == unicode(value) |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
107 elif type == 'checkbox': |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
108 checked = bool(value) |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
109 if checked: |
403
228907abb726
Remove some magic/overhead from `Attrs` creation and manipulation by not automatically wrapping attribute names in `QName`.
cmlenz
parents:
363
diff
changeset
|
110 attrs |= [(QName('checked'), 'checked')] |
345 | 111 elif 'checked' in attrs: |
112 attrs -= 'checked' | |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
113 elif type in (None, 'hidden', 'text'): |
345 | 114 name = attrs.get('name') |
471
76a0ec32835d
The `HTMLFormFiller` stream filter no longer alters form elements for which the data element contains no corresponding item.
cmlenz
parents:
446
diff
changeset
|
115 if name and name in self.data: |
76a0ec32835d
The `HTMLFormFiller` stream filter no longer alters form elements for which the data element contains no corresponding item.
cmlenz
parents:
446
diff
changeset
|
116 value = self.data[name] |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
117 if isinstance(value, (list, tuple)): |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
118 value = value[0] |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
119 if value is not None: |
403
228907abb726
Remove some magic/overhead from `Attrs` creation and manipulation by not automatically wrapping attribute names in `QName`.
cmlenz
parents:
363
diff
changeset
|
120 attrs |= [(QName('value'), unicode(value))] |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
121 elif tagname == 'select': |
345 | 122 name = attrs.get('name') |
471
76a0ec32835d
The `HTMLFormFiller` stream filter no longer alters form elements for which the data element contains no corresponding item.
cmlenz
parents:
446
diff
changeset
|
123 if name in self.data: |
76a0ec32835d
The `HTMLFormFiller` stream filter no longer alters form elements for which the data element contains no corresponding item.
cmlenz
parents:
446
diff
changeset
|
124 select_value = self.data[name] |
76a0ec32835d
The `HTMLFormFiller` stream filter no longer alters form elements for which the data element contains no corresponding item.
cmlenz
parents:
446
diff
changeset
|
125 in_select = True |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
126 elif tagname == 'textarea': |
345 | 127 name = attrs.get('name') |
471
76a0ec32835d
The `HTMLFormFiller` stream filter no longer alters form elements for which the data element contains no corresponding item.
cmlenz
parents:
446
diff
changeset
|
128 if name in self.data: |
76a0ec32835d
The `HTMLFormFiller` stream filter no longer alters form elements for which the data element contains no corresponding item.
cmlenz
parents:
446
diff
changeset
|
129 textarea_value = self.data.get(name) |
76a0ec32835d
The `HTMLFormFiller` stream filter no longer alters form elements for which the data element contains no corresponding item.
cmlenz
parents:
446
diff
changeset
|
130 if isinstance(textarea_value, (list, tuple)): |
76a0ec32835d
The `HTMLFormFiller` stream filter no longer alters form elements for which the data element contains no corresponding item.
cmlenz
parents:
446
diff
changeset
|
131 textarea_value = textarea_value[0] |
76a0ec32835d
The `HTMLFormFiller` stream filter no longer alters form elements for which the data element contains no corresponding item.
cmlenz
parents:
446
diff
changeset
|
132 in_textarea = True |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
133 elif in_select and tagname == 'option': |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
134 option_start = kind, data, pos |
345 | 135 option_value = attrs.get('value') |
584
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
136 if option_value is None: |
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
137 no_option_value = True |
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
138 option_value = '' |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
139 in_option = True |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
140 continue |
345 | 141 yield kind, (tag, attrs), pos |
142 | |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
143 elif in_form and kind is TEXT: |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
144 if in_select and in_option: |
584
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
145 if no_option_value: |
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
146 option_value += data |
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
147 option_text.append((kind, data, pos)) |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
148 continue |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
149 elif in_textarea: |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
150 continue |
345 | 151 yield kind, data, pos |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
152 |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
153 elif in_form and kind is END: |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
154 tagname = data.localname |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
155 if tagname == 'form': |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
156 in_form = False |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
157 elif tagname == 'select': |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
158 in_select = False |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
159 select_value = None |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
160 elif in_select and tagname == 'option': |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
161 if isinstance(select_value, (tuple, list)): |
584
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
162 selected = option_value in [unicode(v) for v |
415
b9f9a22484f0
`HTMLFormFiller` now correctly deals with non-string values in the data dictionary for select/checkbox/radio controls.
cmlenz
parents:
408
diff
changeset
|
163 in select_value] |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
164 else: |
584
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
165 selected = option_value == unicode(select_value) |
345 | 166 okind, (tag, attrs), opos = option_start |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
167 if selected: |
403
228907abb726
Remove some magic/overhead from `Attrs` creation and manipulation by not automatically wrapping attribute names in `QName`.
cmlenz
parents:
363
diff
changeset
|
168 attrs |= [(QName('selected'), 'selected')] |
345 | 169 elif 'selected' in attrs: |
170 attrs -= 'selected' | |
171 yield okind, (tag, attrs), opos | |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
172 if option_text: |
584
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
173 for event in option_text: |
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
174 yield event |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
175 in_option = False |
584
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
176 no_option_value = False |
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
177 option_start = option_value = None |
94f719af686d
Fixed a few cases where HTMLFormFiller didn't work well with option elements:
jonas
parents:
576
diff
changeset
|
178 option_text = [] |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
179 elif tagname == 'textarea': |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
180 if textarea_value: |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
181 yield TEXT, unicode(textarea_value), pos |
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
182 in_textarea = False |
345 | 183 yield kind, data, pos |
275
d91cbdeb75e9
Integrated `HTMLFormFiller` filter initially presented as a [wiki:FormFilling#Usingatemplatefilter recipe].
cmlenz
parents:
230
diff
changeset
|
184 |
345 | 185 else: |
186 yield kind, data, pos | |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
187 |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
188 |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
189 class HTMLSanitizer(object): |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
190 """A filter that removes potentially dangerous HTML tags and attributes |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
191 from the stream. |
431
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
192 |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
193 >>> from genshi import HTML |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
194 >>> html = HTML('<div><script>alert(document.cookie)</script></div>') |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
195 >>> print html | HTMLSanitizer() |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
196 <div/> |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
197 |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
198 The default set of safe tags and attributes can be modified when the filter |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
199 is instantiated. For example, to allow inline ``style`` attributes, the |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
200 following instantation would work: |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
201 |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
202 >>> html = HTML('<div style="background: #000"></div>') |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
203 >>> sanitizer = HTMLSanitizer(safe_attrs=HTMLSanitizer.SAFE_ATTRS | set(['style'])) |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
204 >>> print html | sanitizer |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
205 <div style="background: #000"/> |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
206 |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
207 Note that even in this case, the filter *does* attempt to remove dangerous |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
208 constructs from style attributes: |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
209 |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
210 >>> html = HTML('<div style="background: url(javascript:void); color: #000"></div>') |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
211 >>> print html | sanitizer |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
212 <div style="color: #000"/> |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
213 |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
214 This handles HTML entities, unicode escapes in CSS and Javascript text, as |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
215 well as a lot of other things. However, the style tag is still excluded by |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
216 default because it is very hard for such sanitizing to be completely safe, |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
217 especially considering how much error recovery current web browsers perform. |
571
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
218 |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
219 :warn: Note that this special processing of CSS is currently only applied to |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
220 style attributes, **not** style elements. |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
221 """ |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
222 |
277
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
223 SAFE_TAGS = frozenset(['a', 'abbr', 'acronym', 'address', 'area', 'b', |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
224 'big', 'blockquote', 'br', 'button', 'caption', 'center', 'cite', |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
225 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dir', 'div', 'dl', 'dt', |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
226 'em', 'fieldset', 'font', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
227 'hr', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'map', |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
228 'menu', 'ol', 'optgroup', 'option', 'p', 'pre', 'q', 's', 'samp', |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
229 'select', 'small', 'span', 'strike', 'strong', 'sub', 'sup', 'table', |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
230 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', 'tr', 'tt', 'u', |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
231 'ul', 'var']) |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
232 |
277
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
233 SAFE_ATTRS = frozenset(['abbr', 'accept', 'accept-charset', 'accesskey', |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
234 'action', 'align', 'alt', 'axis', 'bgcolor', 'border', 'cellpadding', |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
235 'cellspacing', 'char', 'charoff', 'charset', 'checked', 'cite', 'class', |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
236 'clear', 'cols', 'colspan', 'color', 'compact', 'coords', 'datetime', |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
237 'dir', 'disabled', 'enctype', 'for', 'frame', 'headers', 'height', |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
238 'href', 'hreflang', 'hspace', 'id', 'ismap', 'label', 'lang', |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
239 'longdesc', 'maxlength', 'media', 'method', 'multiple', 'name', |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
240 'nohref', 'noshade', 'nowrap', 'prompt', 'readonly', 'rel', 'rev', |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
241 'rows', 'rowspan', 'rules', 'scope', 'selected', 'shape', 'size', |
431
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
242 'span', 'src', 'start', 'summary', 'tabindex', 'target', 'title', |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
243 'type', 'usemap', 'valign', 'value', 'vspace', 'width']) |
277
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
244 |
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
245 SAFE_SCHEMES = frozenset(['file', 'ftp', 'http', 'https', 'mailto', None]) |
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
246 |
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
247 URI_ATTRS = frozenset(['action', 'background', 'dynsrc', 'href', 'lowsrc', |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
248 'src']) |
277
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
249 |
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
250 def __init__(self, safe_tags=SAFE_TAGS, safe_attrs=SAFE_ATTRS, |
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
251 safe_schemes=SAFE_SCHEMES, uri_attrs=URI_ATTRS): |
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
252 """Create the sanitizer. |
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
253 |
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
254 The exact set of allowed elements and attributes can be configured. |
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
255 |
425
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
256 :param safe_tags: a set of tag names that are considered safe |
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
257 :param safe_attrs: a set of attribute names that are considered safe |
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
258 :param safe_schemes: a set of URI schemes that are considered safe |
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
259 :param uri_attrs: a set of names of attributes that contain URIs |
277
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
260 """ |
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
261 self.safe_tags = safe_tags |
571
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
262 "The set of tag names that are considered safe." |
277
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
263 self.safe_attrs = safe_attrs |
571
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
264 "The set of attribute names that are considered safe." |
277
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
265 self.uri_attrs = uri_attrs |
571
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
266 "The set of names of attributes that may contain URIs." |
277
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
267 self.safe_schemes = safe_schemes |
571
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
268 "The set of URI schemes that are considered safe." |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
269 |
439
9f11c745fac9
Add support for adding custom template filters by passing a custom callback function to the `TemplateLoader`. Closes #89 (see added unit test).
cmlenz
parents:
431
diff
changeset
|
270 def __call__(self, stream): |
277
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
271 """Apply the filter to the given stream. |
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
272 |
425
073640758a42
Try to use proper reStructuredText for docstrings throughout.
cmlenz
parents:
415
diff
changeset
|
273 :param stream: the markup event stream to filter |
277
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
274 """ |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
275 waiting_for = None |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
276 |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
277 for kind, data, pos in stream: |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
278 if kind is START: |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
279 if waiting_for: |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
280 continue |
345 | 281 tag, attrs = data |
277
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
282 if tag not in self.safe_tags: |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
283 waiting_for = tag |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
284 continue |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
285 |
345 | 286 new_attrs = [] |
287 for attr, value in attrs: | |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
288 value = stripentities(value) |
277
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
289 if attr not in self.safe_attrs: |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
290 continue |
277
7e30bfa966ab
The `HTMLSanitizer` now lets you override the default set of tag and attribute names that are considered safe.
cmlenz
parents:
275
diff
changeset
|
291 elif attr in self.uri_attrs: |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
292 # Don't allow URI schemes such as "javascript:" |
571
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
293 if not self.is_safe_uri(value): |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
294 continue |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
295 elif attr == 'style': |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
296 # Remove dangerous CSS declarations from inline styles |
571
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
297 decls = self.sanitize_css(value) |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
298 if not decls: |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
299 continue |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
300 value = '; '.join(decls) |
345 | 301 new_attrs.append((attr, value)) |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
302 |
345 | 303 yield kind, (tag, Attrs(new_attrs)), pos |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
304 |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
305 elif kind is END: |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
306 tag = data |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
307 if waiting_for: |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
308 if waiting_for == tag: |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
309 waiting_for = None |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
310 else: |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
311 yield kind, data, pos |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
312 |
571
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
313 elif kind is not COMMENT: |
123
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
314 if not waiting_for: |
10279d2eeec9
Fix for #18: whitespace in space-sensitive elements such as `<pre>` and `<textarea>` is now preserved.
cmlenz
parents:
113
diff
changeset
|
315 yield kind, data, pos |
431
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
316 |
571
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
317 def is_safe_uri(self, uri): |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
318 """Determine whether the given URI is to be considered safe for |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
319 inclusion in the output. |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
320 |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
321 The default implementation checks whether the scheme of the URI is in |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
322 the set of allowed URIs (`safe_schemes`). |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
323 |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
324 >>> sanitizer = HTMLSanitizer() |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
325 >>> sanitizer.is_safe_uri('http://example.org/') |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
326 True |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
327 >>> sanitizer.is_safe_uri('javascript:alert(document.cookie)') |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
328 False |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
329 |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
330 :param uri: the URI to check |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
331 :return: `True` if the URI can be considered safe, `False` otherwise |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
332 :rtype: `bool` |
576 | 333 :since: version 0.4.3 |
571
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
334 """ |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
335 if ':' not in uri: |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
336 return True # This is a relative URI |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
337 chars = [char for char in uri.split(':', 1)[0] if char.isalnum()] |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
338 return ''.join(chars).lower() in self.safe_schemes |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
339 |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
340 def sanitize_css(self, text): |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
341 """Remove potentially dangerous property declarations from CSS code. |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
342 |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
343 In particular, properties using the CSS ``url()`` function with a scheme |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
344 that is not considered safe are removed: |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
345 |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
346 >>> sanitizer = HTMLSanitizer() |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
347 >>> sanitizer.sanitize_css(u''' |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
348 ... background: url(javascript:alert("foo")); |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
349 ... color: #000; |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
350 ... ''') |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
351 [u'color: #000'] |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
352 |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
353 Also, the proprietary Internet Explorer function ``expression()`` is |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
354 always stripped: |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
355 |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
356 >>> sanitizer.sanitize_css(u''' |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
357 ... background: #fff; |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
358 ... color: #000; |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
359 ... width: e/**/xpression(alert("foo")); |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
360 ... ''') |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
361 [u'background: #fff', u'color: #000'] |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
362 |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
363 :param text: the CSS text; this is expected to be `unicode` and to not |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
364 contain any character or numeric references |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
365 :return: a list of declarations that are considered safe |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
366 :rtype: `list` |
576 | 367 :since: version 0.4.3 |
571
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
368 """ |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
369 decls = [] |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
370 text = self._strip_css_comments(self._replace_unicode_escapes(text)) |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
371 for decl in filter(None, text.split(';')): |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
372 decl = decl.strip() |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
373 if not decl: |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
374 continue |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
375 is_evil = False |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
376 if 'expression' in decl: |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
377 is_evil = True |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
378 for match in re.finditer(r'url\s*\(([^)]+)', decl): |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
379 if not self.is_safe_uri(match.group(1)): |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
380 is_evil = True |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
381 break |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
382 if not is_evil: |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
383 decls.append(decl.strip()) |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
384 return decls |
f0461dc3939a
* Cleaned up the implementation of the `HTMLSanitizer`.
cmlenz
parents:
556
diff
changeset
|
385 |
431
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
386 _NORMALIZE_NEWLINES = re.compile(r'\r\n').sub |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
387 _UNICODE_ESCAPE = re.compile(r'\\([0-9a-fA-F]{1,6})\s?').sub |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
388 |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
389 def _replace_unicode_escapes(self, text): |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
390 def _repl(match): |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
391 return unichr(int(match.group(1), 16)) |
ad01564e87f2
* Don't allow `style` attributes by default in the `HTMLSanitizer`. Closes #97.
cmlenz
parents:
425
diff
changeset
|
392 return self._UNICODE_ESCAPE(_repl, self._NORMALIZE_NEWLINES('\n', text)) |
556
0d98569eaced
The HTML sanitizer now strips any CSS comments in style attributes, which could previously be used to hide malicious property values.
cmlenz
parents:
471
diff
changeset
|
393 |
0d98569eaced
The HTML sanitizer now strips any CSS comments in style attributes, which could previously be used to hide malicious property values.
cmlenz
parents:
471
diff
changeset
|
394 _CSS_COMMENTS = re.compile(r'/\*.*?\*/').sub |
0d98569eaced
The HTML sanitizer now strips any CSS comments in style attributes, which could previously be used to hide malicious property values.
cmlenz
parents:
471
diff
changeset
|
395 |
0d98569eaced
The HTML sanitizer now strips any CSS comments in style attributes, which could previously be used to hide malicious property values.
cmlenz
parents:
471
diff
changeset
|
396 def _strip_css_comments(self, text): |
0d98569eaced
The HTML sanitizer now strips any CSS comments in style attributes, which could previously be used to hide malicious property values.
cmlenz
parents:
471
diff
changeset
|
397 return self._CSS_COMMENTS('', text) |