z|asU ddlmZddlZddlZddlmZddlmZddlm Z ddl m Z gdZ dd gd gd gd Z gZgd Zd d eeddeddeddDZejdezdzejZdZGddZdZGdde jZdS))chainN)urlparse)unescape) html5lib_shim)alphabetize_attributes) aabbracronymb blockquotecodeemiliolstrongulhreftitle)rr r )httphttpsmailtoc,g|]}t|S)chr).0cs 0lib/python3.11/site-packages/bleach/sanitizer.py r ,sFFFSVVFFF  []?c.eZdZdZeeeedddfdZdZ dS)CleaneraCleaner for cleaning HTML fragments of malicious content This cleaner is a security-focused function whose sole purpose is to remove malicious content from a string such that it can be displayed as content in a web page. To use:: from bleach.sanitizer import Cleaner cleaner = Cleaner() for text in all_the_yucky_things: sanitized = cleaner.clean(text) .. Note:: This cleaner is not designed to use to transform content to be used in non-web-page contexts. .. Warning:: This cleaner is not thread-safe--the html parser has internal state. Create a separate cleaner per thread! FTNc*||_||_||_||_||_||_|pg|_tj|j|jdd|_ tj d|_ tj dddddd|_ dS)a Initializes a Cleaner :arg list tags: allowed list of tags; defaults to ``bleach.sanitizer.ALLOWED_TAGS`` :arg dict attributes: allowed attributes; can be a callable, list or dict; defaults to ``bleach.sanitizer.ALLOWED_ATTRIBUTES`` :arg list styles: allowed list of css styles; defaults to ``bleach.sanitizer.ALLOWED_STYLES`` :arg list protocols: allowed list of protocols for links; defaults to ``bleach.sanitizer.ALLOWED_PROTOCOLS`` :arg bool strip: whether or not to strip disallowed elements :arg bool strip_comments: whether or not to strip HTML comments :arg list filters: list of html5lib Filter classes to pass streamed content through .. seealso:: http://html5lib.readthedocs.io/en/latest/movingparts.html#filters .. Warning:: Using filters changes the output of ``bleach.Cleaner.clean``. Make sure the way the filters change the output are secure. F)tagsstripconsume_entitiesnamespaceHTMLElementsetreealwaysT)quote_attr_valuesomit_optional_tagsescape_lt_in_attrsresolve_entitiessanitizealphabetical_attributesN)r- attributesstyles protocolsr.strip_commentsfiltersrBleachHTMLParserparser getTreeWalkerwalkerBleachHTMLSerializer serializer)selfr-r9r:r;r.r<r=s r__init__zCleaner.__init__TsL $ " ,}" #4*""'     $1':: '<&$##$)    r!c t|ts/d|jj}t ||sdS|j|}t| ||j |j |j |j |j|jg}|jD]}||}|j|S)zCleans text and returns sanitized result as unicode :arg str text: text to be cleaned :returns: sanitized text as unicode :raises TypeError: if ``text`` is not a text type z9argument cannot be of '{name}' type, must be of text type)namer)sourcer9strip_disallowed_elementsstrip_html_commentsallowed_elementsallowed_css_propertiesallowed_protocolsallowed_svg_properties)rH) isinstancestrformat __class____name__ TypeErrorr? parseFragmentBleachSanitizerFilterrAr9r.r<r-r:r;r=rCrender)rDtextmessagedomfiltered filter_classs rcleanz Cleaner.cleans$$$ %KRR0S  G$$ $ 2k''--(;;s##&*j $ 3!Y#';"n#%    !L 5 5L#|8444HH%%h///r!) rS __module__ __qualname____doc__ ALLOWED_TAGSALLOWED_ATTRIBUTESALLOWED_STYLESALLOWED_PROTOCOLSrEr]rr!rr+r+7s]<%#@ @ @ @ D'0'0'0'0'0r!r+ctrSttrfd}|Sttrfd}|St d)a0Generates attribute filter function for the given attributes value The attributes value can take one of several shapes. This returns a filter function appropriate to the attributes value. One nice thing about this is that there's less if/then shenanigans in the ``allow_token`` method. c|vr*|}t|r ||||S||vrdSdvr(d}t|r ||||S||vSdS)NT*F)callable)tagattrvalueattr_valr9s r _attr_filterz.attribute_filter_factory.._attr_filtersj  %c?H%%6#8Cu5558##4j  %c?H%%6#8Cu555x''5r!c |vSNr)rirjrkr9s rrmz.attribute_filter_factory.._attr_filters:% %r!z3attributes needs to be a callable, a list or a dict)rhrOdictlist ValueError)r9rms` rattribute_filter_factoryrss *d##     $*d## & & & & & J K KKr!c`eZdZdZeddffd ZdZdZdZdZ d Z d Z d Z d Z d ZxZS)rVzmhtml5lib Filter that sanitizes text This filter can be used anywhere html5lib filters can be used. FTc t||_||_||_t jddt dtt|j |fi|S)aCreates a BleachSanitizerFilter instance :arg Treewalker source: stream :arg list tags: allowed list of tags; defaults to ``bleach.sanitizer.ALLOWED_TAGS`` :arg dict attributes: allowed attributes; can be a callable, list or dict; defaults to ``bleach.sanitizer.ALLOWED_ATTRIBUTES`` :arg list styles: allowed list of css styles; defaults to ``bleach.sanitizer.ALLOWED_STYLES`` :arg list protocols: allowed list of protocols for links; defaults to ``bleach.sanitizer.ALLOWED_PROTOCOLS`` :arg bool strip_disallowed_elements: whether or not to strip disallowed elements :arg bool strip_html_comments: whether or not to strip HTML comments ignorez"html5lib's sanitizer is deprecatedzbleach._vendor.html5lib)rYcategorymodule) rs attr_filterrIrJwarningsfilterwarningsDeprecationWarningsuperrVrE)rDrHr9rIrJkwargsrRs rrEzBleachSanitizerFilter.__init__su<4J??)B   8',     ;u*D11:6LLVLLLr!c#K|D]=}||}|st|tr |D]}|V9|V>dSro)sanitize_tokenrOrq)rDtoken_iteratortokenretsubtokens rsanitize_streamz%BleachSanitizerFilter.sanitize_streams{#  E%%e,,C #t$$  ###H"NNNN#   r!c#JKg}|D]u}|rK|ddkr||&dd|Ddd}g}|Vn"|ddkr||q|Vvdd|Ddd}|VdS)z/Merge consecutive Characters tokens in a streamtype Charactersrcg|] }|d Sdatarr char_tokens rr z:BleachSanitizerFilter.merge_characters..8TTTJZ/TTTr!)rrcg|] }|d Srrrs rr z:BleachSanitizerFilter.merge_characters..Frr!N)appendjoin)rDrcharacters_bufferr new_tokens rmerge_charactersz&BleachSanitizerFilter.merge_characters*s#  E  =L00%,,U333 !#TTBSTTT!!!- !!I )+%#OOOOv,..!((///KKKKGGTTBSTTTUU   r!c||tj|Sro)rrrFilter__iter__)rDs rrzBleachSanitizerFilter.__iter__Ks<$$  !5!>!>t!D!D E E   r!cv|d}|dvr^|d|jvr||S|jrdSd|vrt|d|d<||S|dkr-|js$t j|dddd  |d<|SdS|d kr||S|S) aSanitize a token either by HTML-encoding or dropping. Unlike sanitizer.Filter, allowed_attributes can be a dict of {'tag': ['attribute', 'pairs'], 'tag': callable}. Here callable is a function with two arguments of attribute name and value. It should return true of false. Also gives the option to strip tags instead of encoding. :arg dict token: token to sanitize :returns: token or list of tokens r)StartTagEndTagEmptyTagrGNrCommentz"z')"')entitiesr) rK allow_tokenrIrdisallowed_tokenrJrescapesanitize_characters)rDr token_types rrz$BleachSanitizerFilter.sanitize_tokenPs 6] ; ; ;V} 555''.../ 4tU??%;5=$I$IE&M,,U333 9 $ $+  - 4&M(,J,J!!!f  t < ' '++E22 2Lr!c&|dd}|s|Stt|}||d<d|vr|Sg}t j|D]}|s|drt j|}|l|dkr|dddn|d|d |t|d zd}|r|d|d|d|d|S) aHandles Characters tokens Our overridden tokenizer doesn't do anything with entities. However, that means that the serializer will convert all ``&`` in Characters tokens to ``&``. Since we don't want that, we extract entities here and convert them to Entity tokens so the serializer will let them be. :arg token: the Characters token to work on :returns: a list of tokens rr&Nampr)rrEntity)rrG) getINVISIBLE_CHARACTERS_REsubINVISIBLE_REPLACEMENT_CHARrnext_possible_entity startswith match_entityrlen)rDrr new_tokenspartentity remainders rrz)BleachSanitizerFilter.sanitize_characterssZyy$$ L&**+EtLLf  d??L "6t<< D DD s## &3D99%#))<*M*MNNNN"))8V*L*LMMM!%S[[1_%6%6 7I U"))<*S*STTT   |TBB C C C Cr!ctj|}tjdd|}|dd}|} t |}n#t$rYdSwxYw|jr |j|vr|Sn@| dr|Sd|vr| dd|vr|Sd|vr|SdS) zChecks a uri value to see if it's allowed :arg value: the uri value to sanitize :arg allowed_protocols: list of allowed protocols :returns: allowed value or None z[`\000-\040\177-\240\s]+ru�N#:rr) rconvert_entitiesrerreplacelowerrrrschemersplit)rDrkrM new_valueparseds rsanitize_uri_valuez(BleachSanitizerFilter.sanitize_uri_values"2599 F6IFF %%h33 OO%%  i((FF   44  = } 111 2 ##C((  iIOOC$8$8$;?P$P$P *** tsA&& A43A4cXd|vr$i}|dD]\}}|\}}||d||s(||jvr |||j}|O|}||jvrrGr)rrrrz="rz<%s> selfClosingz/>r)rrprefixesrrr)rDrrrnsrGvrs rrz&BleachSanitizerFilter.disallowed_token/sz6]  ! !#eFm3E&MM 6] 3!99999E!&v!4!4!6!6   TA(d(#RB:=+A!A!A&*OO1>1G1K1K1KTT&RO (      .).f rwwu~~~~FE&MM#U6]2E&M 99] # # 6!&M#2#.5E&M$f &M r!ctj|}tjdd|}|d}tjdtjtjz}|D]}||sdStjd|sdSg}tj d|D]{\}}|s| |j vr| |d z|zdzB| |j vr| |d z|zdz|d|S) zSanitizes css in style tagszurl\s*\(\s*[^\s)]+?\s*\)\s*r;ak^( # consider a style attribute value as composed of: [/:,#%!.\s\w] # a non-newline character |\w-\w # 3 characters in the form \w-\w |'[\s\w]+'\s* # a single quoted string of [\s\w]+ with trailing space |"[\s\w]+" # a double quoted string of [\s\w]+ |\([\d,%\.\s]+\) # a parenthesized string of one or more digits, commas, periods, ... )*$)flagsrz ^\s*([-\w]+\s*:[^:;]*(;\s*|$))*$z([-\w]+)\s*:\s*([^:;]*)z: )rrrcompilerrUVERBOSEmatchfindallrrLrrNr)rDrpartsgauntletrr]proprks rrz"BleachSanitizerFilter.sanitize_css[so.u55 9::>>sEJJ  C  : $#      D>>$'' rr x;UCC 2:&@%HH 8 8KD% zz||t::: TD[50367777!<<< TD[5036777xxr!)rSr^r_r`rbrErrrrrrrrr __classcell__)rRs@rrVrVs&"' )M)M)M)M)M)MV   B   ---^;;;z555n:::x***X*******r!rV) itertoolsrrrzbleach._vendor.parserxml.sax.saxutilsrbleachr bleach.utilsrrarbrcrdrrangeINVISIBLE_CHARACTERSrUNICODErrr+rsSanitizerFilterrVrr!rrs ))))))%%%%%% //////    $ '  Iy0//wwFFUU55A;;b" uuR}}EEFFF %"*S+?%?#%ErzRR!F0F0F0F0F0F0F0F0R(L(L(LVZZZZZM9ZZZZZr!