MhU ddlmZddlZddlZddlmZddlmZddlmZe dZ ddgdgdgd Z e d Z d d eedd eddeddDZejdezdzejZdZGddeZGddZdZGddejZdS))chainN)unescape) html5lib_shim) parse_shim) aabbracronymb blockquotecodeemiliolstrongulhreftitle)rrr )httphttpsmailtoc,g|]}t|S)chr).0cs P/var/www/html/test/jupyter/venv/lib/python3.11/site-packages/bleach/sanitizer.py r*sFFFSVVFFF  []?ceZdZdS)NoCssSanitizerWarningN)__name__ __module__ __qualname__rr rr*r*5sDr r*c.eZdZdZeeeddddfdZdZdS)CleaneraCleaner for cleaning HTML fragments of malicious content This cleaner is a security-focused function whose sole purpose is to remove malicious content from a string such that it can be displayed as content in a web page. To use:: from bleach.sanitizer import Cleaner cleaner = Cleaner() for text in all_the_yucky_things: sanitized = cleaner.clean(text) .. Note:: This cleaner is not designed to use to transform content to be used in non-web-page contexts. .. Warning:: This cleaner is not thread-safe--the html parser has internal state. Create a separate cleaner per thread! FTNcf||_||_||_||_||_|pg|_||_tj|j|jdd|_ tj d|_ tj dddddd|_ |g}t|tr|}n_t|t rJg}|D]3} t| tt$fr|| 4d|vrt)jd t, dSdSdS) a:Initializes a Cleaner :arg set tags: set of allowed tags; defaults to ``bleach.sanitizer.ALLOWED_TAGS`` :arg dict attributes: allowed attributes; can be a callable, list or dict; defaults to ``bleach.sanitizer.ALLOWED_ATTRIBUTES`` :arg list protocols: allowed list of protocols for links; defaults to ``bleach.sanitizer.ALLOWED_PROTOCOLS`` :arg bool strip: whether or not to strip disallowed elements :arg bool strip_comments: whether or not to strip HTML comments :arg list filters: list of html5lib Filter classes to pass streamed content through .. seealso:: http://html5lib.readthedocs.io/en/latest/movingparts.html#filters .. Warning:: Using filters changes the output of ``bleach.Cleaner.clean``. Make sure the way the filters change the output are secure. :arg CSSSanitizer css_sanitizer: instance with a "sanitize_css" method for sanitizing style attribute values and style text; defaults to None F)tagsstripconsume_entitiesnamespaceHTMLElementsetreealwaysT)quote_attr_valuesomit_optional_tagsescape_lt_in_attrsresolve_entitiessanitizealphabetical_attributesNstylez7'style' attribute specified, but css_sanitizer not set.)category)r1 attributes protocolsr2strip_commentsfilters css_sanitizerrBleachHTMLParserparser getTreeWalkerwalkerBleachHTMLSerializer serializer isinstancelistdictvaluestupleextendwarningswarnr*) selfr1r?r@r2rArBrCattributes_valuesrMs r__init__zCleaner.__init__VstL $" ,}" *#4*""'     $1':: '<&$##$)      !# *d++ 9$.!!J-- 9$&!(//1199F!&4-889)00888+++ M2 ! ,+r c t|ts"d|jjddz}t ||sdS|j|}t|||j |j |j |j |j |j}|jD]}||}|j|S)zCleans text and returns sanitized result as unicode :arg str text: text to be cleaned :returns: sanitized text as unicode :raises TypeError: if ``text`` is not a text type zargument cannot be of z type, zmust be of text typer)source allowed_tagsr?strip_disallowed_tagsstrip_html_commentsrCallowed_protocols)rV)rJstr __class__r+ TypeErrorrE parseFragmentBleachSanitizerFilterrGr1r?r2rArCr@rBrIrender)rRtextmessagedomfiltered filter_classs rcleanz Cleaner.cleans$$$ %K)@KKK() G$$ $ 2k''--(;;s##"&* $ 3,"n   !L 5 5L#|8444HH%%h///r ) r+r,r-__doc__ ALLOWED_TAGSALLOWED_ATTRIBUTESALLOWED_PROTOCOLSrTrfrr rr/r/9s]<%#SSSSj#0#0#0#0#0r r/ctrSttrfd}|Sttrfd}|St d)a0Generates attribute filter function for the given attributes value The attributes value can take one of several shapes. This returns a filter function appropriate to the attributes value. One nice thing about this is that there's less if/then shenanigans in the ``allow_token`` method. c|vr*|}t|r ||||S||vrdSdvr(d}t|r ||||S||vSdS)NT*F)callable)tagattrvalueattr_valr?s r _attr_filterz.attribute_filter_factory.._attr_filtersj  %c?H%%6#8Cu5558##4j  %c?H%%6#8Cu555x''5r c |vSNr)rorprqr?s rrsz.attribute_filter_factory.._attr_filters:% %r z3attributes needs to be a callable, a list or a dict)rnrJrLrK ValueError)r?rss` rattribute_filter_factoryrws *d##     $*d## & & & & & J K KKr c zeZdZdZeeeejej ej dddf dZ dZ dZ dZd Zd Zd Zd Zd ZdS)r_zmhtml5lib Filter that sanitizes text This filter can be used anywhere html5lib filters can be used. FTNc tj||t||_t||_t ||_||_| |_ ||_ ||_ | |_ ||_ dS)a_Creates a BleachSanitizerFilter instance :arg source: html5lib TreeWalker stream as an html5lib TreeWalker :arg set allowed_tags: set of allowed tags; defaults to ``bleach.sanitizer.ALLOWED_TAGS`` :arg dict attributes: allowed attributes; can be a callable, list or dict; defaults to ``bleach.sanitizer.ALLOWED_ATTRIBUTES`` :arg list allowed_protocols: allowed list of protocols for links; defaults to ``bleach.sanitizer.ALLOWED_PROTOCOLS`` :arg attr_val_is_uri: set of attributes that have URI values :arg svg_attr_val_allows_ref: set of SVG attributes that can have references :arg svg_allow_local_href: set of SVG elements that can have local hrefs :arg bool strip_disallowed_tags: whether or not to strip disallowed tags :arg bool strip_html_comments: whether or not to strip HTML comments :arg CSSSanitizer css_sanitizer: instance with a "sanitize_css" method for sanitizing style attribute values and style text; defaults to None N)rFilterrT frozensetrWrZrw attr_filterrXrYattr_val_is_urisvg_attr_val_allows_refrCsvg_allow_local_href) rRrVrWr?rZr}r~rrXrYrCs rrTzBleachSanitizerFilter.__init__s` %%dF333%l33!*+$*$8!!!r c#K|D]<}||}|st|tr |Ed{V8|V=dSru)sanitize_tokenrJrK)rRtoken_iteratortokenrets rsanitize_streamz%BleachSanitizerFilter.sanitize_streamAsm#  E%%e,,C #t$$    r c#JKg}|D]u}|rK|ddkr||&dd|Ddd}g}|Vn"|ddkr||q|Vvdd|Ddd}|VdS)z/Merge consecutive Characters tokens in a streamtype Charactersrcg|] }|d Sdatarr char_tokens rrz:BleachSanitizerFilter.merge_characters..[TTTJZ/TTTr )rrcg|] }|d Srrrs rrz:BleachSanitizerFilter.merge_characters..irr N)appendjoin)rRrcharacters_bufferr new_tokens rmerge_charactersz&BleachSanitizerFilter.merge_charactersMs#  E  =L00%,,U333 !#TTBSTTT!!!- !!I )+%#OOOOv,..!((///KKKKGGTTBSTTTUU   r c||tj|Sru)rrrrz__iter__)rRs rrzBleachSanitizerFilter.__iter__ns<$$  !5!>!>t!D!D E E   r c>|d}|dvrB|d|jvr||S|jrdS||S|dkr-|js$t j|dddd  |d<|SdS|d kr||S|S) aSanitize a token either by HTML-encoding or dropping. Unlike sanitizer.Filter, allowed_attributes can be a dict of {'tag': ['attribute', 'pairs'], 'tag': callable}. Here callable is a function with two arguments of attribute name and value. It should return true of false. Also gives the option to strip tags instead of encoding. :arg dict token: token to sanitize :returns: token or list of tokens r)StartTagEndTagEmptyTagnameNCommentrz"z')"')entitiesr)rW allow_tokenrXdisallowed_tokenrYrescapesanitize_characters)rRr token_types rrz$BleachSanitizerFilter.sanitize_tokenss 6] ; ; ;V} 111''...+ 4t,,U333 9 $ $+  - 4&M(,J,J!!!f  t < ' '++E22 2Lr c&|dd}|s|Stt|}||d<d|vr|Sg}t j|D]}|s|drt j|}|l|dkr|dddn|d|d |t|d zd}|r|d|d|d|d|S) aHandles Characters tokens Our overridden tokenizer doesn't do anything with entities. However, that means that the serializer will convert all ``&`` in Characters tokens to ``&``. Since we don't want that, we extract entities here and convert them to Entity tokens so the serializer will let them be. :arg token: the Characters token to work on :returns: a list of tokens rr&Nampr)rrEntity)rr) getINVISIBLE_CHARACTERS_REsubINVISIBLE_REPLACEMENT_CHARrnext_possible_entity startswith match_entityrlen)rRrr new_tokenspartentity remainders rrz)BleachSanitizerFilter.sanitize_characterssZyy$$ L&**+EtLLf  d??L "6t<< D DD s## &3D99%#))<*M*MNNNN"))8V*L*LMMM!%S[[1_%6%6 7I U"))<*S*STTT   |TBB C C C Cr ctj|}tjdd|}|dd}|} t j|}n#t$rYdSwxYw|j r |j |vr|SnD| dr|Sd|vr| dd|vr|Sd|vsd |vr|SdS) zChecks a uri value to see if it's allowed :arg value: the uri value to sanitize :arg allowed_protocols: list of allowed protocols :returns: allowed value or None z[`\000-\040\177-\240\s]+ru�N#:rrr) rconvert_entitiesrerreplacelowerrurlparservschemersplit)rRrqrZnormalized_uriparseds rsanitize_uri_valuez(BleachSanitizerFilter.sanitize_uri_values$'7>> ;RPP(//"==(--//  (88FF   44  = } 111 2 ((--  ~%%"((--a04EEE ***g9J.J.J tsA++ A98A9c`d|vr(i}|dD]\}}|\}}||d||s)||jvr |||j}|P|}||jvrr)rrrrz="rr)rrprefixesrrr)rRrrrnsrvrs rrz&BleachSanitizerFilter.disallowed_tokenZs6]  ! !1v111E&MM 6] 1!99999E!&v!4!4!6!6 : : TA(d(#RB:=+A!A!A&*OO)6)?)C&L&Ld&L&LO  888A8889999@f @rwwu~~@@@E&MM1f 000E&M 99] # # 6$V}SbS1555E&M$f &M r )r+r,r-rgrhrirjrr}r~rrTrrrrrrrrrr rr_r_s"%+%5 - E*?# <9<9<9<9|   B   )))V;;;z888tCCCJ$$$$$r r_) itertoolsrrrPxml.sax.saxutilsrbleachrrr{rhrirjrrangeINVISIBLE_CHARACTERScompileUNICODErr UserWarningr*r/rwSanitizerFilterr_rr rrs %%%%%% y  ( '  IyI9::wwFFUU55A;;b" uuR}}EEFFF %"*S+?%?#%ErzRR!     K   U0U0U0U0U0U0U0U0p(L(L(LVBBBBBM9BBBBBr