##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
markdown: use bleach to cleanup html from markdown. This also enabled strict...
marcink -
r2440:86196e6b default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -0,0 +1,403 b''
1 all_tags = [
2 "a", "abbr", "acronym", "address", "applet", "area", "article", "aside", "audio",
3 "b", "base", "basefont", "bdi", "bdo", "bgsound", "big", "blink", "blockquote", "body", "br", "button",
4 "canvas", "caption", "center", "cite", "code", "col", "colgroup", "command", "content",
5 "data", "datalist", "dd", "del", "detals", "dfn", "dialog", "dir", "div", "dl", "dt",
6 "element", "em", "embed",
7 "fieldset", "figcaption", "figure", "font", "footer", "form", "frame", "frameset",
8 "h1", "h2", "h3", "h4", "h5", "h6", "head", "header", "hgroup", "hr", "html",
9 "i", "iframe", "image", "img", "input", "ins", "isindex",
10 "kbd", "keygen",
11 "label", "legend", "li", "link", "listing",
12 "main", "map", "mark", "marquee", "menu", "menuitem", "meta", "meter", "multicol",
13 "nav", "nobr", "noembed", "noframes", "noscript",
14 "object", "ol", "optgroup", "option", "output",
15 "p", "param", "picture", "plaintext", "pre", "progress",
16 "q",
17 "rp", "rt", "ruby",
18 "s", "samp", "script", "section", "select", "shadow", "small", "source", "spacer", "span", "strike", "strong", "style", "sub", "summary", "sup",
19 "table", "tbody", "td", "template", "textarea", "tfoot", "th", "thead", "time", "title", "tr", "track", "tt",
20 "u", "ul",
21 "var", "video",
22 "wbr",
23 "xmp",
24 ]
25
26 # List tags that, if included in a page, could break markup or open XSS.
27 generally_xss_unsafe = [
28 "applet", "audio",
29 "bgsound", "body",
30 "canvas",
31 "embed",
32 "frame", "frameset",
33 "head", "html",
34 "iframe",
35 "link",
36 "meta",
37 "object",
38 "param",
39 "source", "script",
40 "ruby", "rt",
41 "title", "track",
42 "video",
43 "xmp"
44 ]
45
46 # Tags that, if included on the page, will probably not break markup or open
47 # XSS. Note that these must be combined with attribute whitelisting, or things
48 # like <img> and <style> could still be unsafe.
49 generally_xss_safe = list(set(all_tags) - set(generally_xss_unsafe))
50 generally_xss_safe.sort()
51
52 # Tags suitable for rendering markdown
53 markdown_tags = [
54 "h1", "h2", "h3", "h4", "h5", "h6",
55 "b", "i", "strong", "em", "tt",
56 "p", "br",
57 "span", "div", "blockquote", "code", "hr", "pre", "del",
58 "ul", "ol", "li",
59 "dl", "dd", "dt",
60 "table", "thead", "tbody", "tfoot", "tr", "th", "td",
61 "img",
62 "a",
63 ]
64
65 markdown_attrs = {
66 "*": ["class", "style", "align"],
67 "img": ["src", "alt", "title"],
68 "a": ["href", "alt", "title", "name"],
69 "abbr": ["title"],
70 "acronym": ["title"],
71 "pre": ["lang"]
72 }
73
74 standard_styles = [
75 # Taken from https://developer.mozilla.org/en-US/docs/Web/CSS/Reference
76 # This includes pseudo-classes, pseudo-elements, @-rules, units, and
77 # selectors in addition to properties, but it doesn't matter for our
78 # purposes -- we don't need to filter styles..
79 ":active", "::after (:after)", "align-content", "align-items", "align-self",
80 "all", "<angle>", "animation", "animation-delay", "animation-direction",
81 "animation-duration", "animation-fill-mode", "animation-iteration-count",
82 "animation-name", "animation-play-state", "animation-timing-function",
83 "@annotation", "annotation()", "attr()", "::backdrop", "backface-visibility",
84 "background", "background-attachment", "background-blend-mode",
85 "background-clip", "background-color", "background-image", "background-origin",
86 "background-position", "background-repeat", "background-size", "<basic-shape>",
87 "::before (:before)", "<blend-mode>", "blur()", "border", "border-bottom",
88 "border-bottom-color", "border-bottom-left-radius",
89 "border-bottom-right-radius", "border-bottom-style", "border-bottom-width",
90 "border-collapse", "border-color", "border-image", "border-image-outset",
91 "border-image-repeat", "border-image-slice", "border-image-source",
92 "border-image-width", "border-left", "border-left-color", "border-left-style",
93 "border-left-width", "border-radius", "border-right", "border-right-color",
94 "border-right-style", "border-right-width", "border-spacing", "border-style",
95 "border-top", "border-top-color", "border-top-left-radius",
96 "border-top-right-radius", "border-top-style", "border-top-width",
97 "border-width", "bottom", "box-decoration-break", "box-shadow", "box-sizing",
98 "break-after", "break-before", "break-inside", "brightness()", "calc()",
99 "caption-side", "ch", "@character-variant", "character-variant()", "@charset",
100 ":checked", "circle()", "clear", "clip", "clip-path", "cm", "color", "<color>",
101 "columns", "column-count", "column-fill", "column-gap", "column-rule",
102 "column-rule-color", "column-rule-style", "column-rule-width", "column-span",
103 "column-width", "content", "contrast()", "<counter>", "counter-increment",
104 "counter-reset", "@counter-style", "cubic-bezier()", "cursor",
105 "<custom-ident>", ":default", "deg", ":dir()", "direction", ":disabled",
106 "display", "@document", "dpcm", "dpi", "dppx", "drop-shadow()", "element()",
107 "ellipse()", "em", ":empty", "empty-cells", ":enabled", "ex", "filter",
108 ":first", ":first-child", "::first-letter", "::first-line",
109 ":first-of-type", "flex", "flex-basis", "flex-direction",
110 "flex-flow", "flex-grow", "flex-shrink", "flex-wrap", "float", ":focus",
111 "font", "@font-face", "font-family", "font-feature-settings",
112 "@font-feature-values", "font-kerning", "font-language-override", "font-size",
113 "font-size-adjust", "font-stretch", "font-style", "font-synthesis",
114 "font-variant", "font-variant-alternates", "font-variant-caps",
115 "font-variant-east-asian", "font-variant-ligatures", "font-variant-numeric",
116 "font-variant-position", "font-weight", "<frequency>", ":fullscreen", "grad",
117 "<gradient>", "grayscale()", "grid", "grid-area", "grid-auto-columns",
118 "grid-auto-flow", "grid-auto-position", "grid-auto-rows", "grid-column",
119 "grid-column-start", "grid-column-end", "grid-row", "grid-row-start",
120 "grid-row-end", "grid-template", "grid-template-areas", "grid-template-rows",
121 "grid-template-columns", "height", ":hover", "hsl()", "hsla()", "hue-rotate()",
122 "hyphens", "hz", "<image>", "image()", "image-rendering", "image-resolution",
123 "image-orientation", "ime-mode", "@import", "in", ":indeterminate", "inherit",
124 "initial", ":in-range", "inset()", "<integer>", ":invalid", "invert()",
125 "isolation", "justify-content", "@keyframes", "khz", ":lang()", ":last-child",
126 ":last-of-type", "left", ":left", "<length>", "letter-spacing",
127 "linear-gradient()", "line-break", "line-height", ":link", "list-style",
128 "list-style-image", "list-style-position", "list-style-type", "margin",
129 "margin-bottom", "margin-left", "margin-right", "margin-top", "marks", "mask",
130 "mask-type", "matrix()", "matrix3d()", "max-height", "max-width", "@media",
131 "min-height", "minmax()", "min-width", "mix-blend-mode", "mm", "ms",
132 "@namespace", ":not()", ":nth-child()", ":nth-last-child()",
133 ":nth-last-of-type()", ":nth-of-type()", "<number>", "object-fit",
134 "object-position", ":only-child", ":only-of-type", "opacity", "opacity()",
135 ":optional", "order", "@ornaments", "ornaments()", "orphans", "outline",
136 "outline-color", "outline-offset", "outline-style", "outline-width",
137 ":out-of-range", "overflow", "overflow-wrap", "overflow-x", "overflow-y",
138 "padding", "padding-bottom", "padding-left", "padding-right", "padding-top",
139 "@page", "page-break-after", "page-break-before", "page-break-inside", "pc",
140 "<percentage>", "perspective", "perspective()", "perspective-origin",
141 "pointer-events", "polygon()", "position", "<position>", "pt", "px", "quotes",
142 "rad", "radial-gradient()", "<ratio>", ":read-only", ":read-write", "rect()",
143 "rem", "repeat()", "::repeat-index", "::repeat-item",
144 "repeating-linear-gradient()", "repeating-radial-gradient()", ":required",
145 "resize", "<resolution>", "rgb()", "rgba()", "right", ":right", ":root",
146 "rotate()", "rotatex()", "rotatey()", "rotatez()", "rotate3d()", "ruby-align",
147 "ruby-merge", "ruby-position", "s", "saturate()", "scale()", "scalex()",
148 "scaley()", "scalez()", "scale3d()", ":scope", "scroll-behavior",
149 "::selection", "sepia()", "<shape>", "shape-image-threshold", "shape-margin",
150 "shape-outside", "skew()", "skewx()", "skewy()", "steps()", "<string>",
151 "@styleset", "styleset()", "@stylistic", "stylistic()", "@supports", "@swash",
152 "swash()", "symbol()", "table-layout", "tab-size", ":target", "text-align",
153 "text-align-last", "text-combine-upright", "text-decoration",
154 "text-decoration-color", "text-decoration-line", "text-decoration-style",
155 "text-indent", "text-orientation", "text-overflow", "text-rendering",
156 "text-shadow", "text-transform", "text-underline-position", "<time>",
157 "<timing-function>", "top", "touch-action", "transform", "transform-origin",
158 "transform-style", "transition", "transition-delay", "transition-duration",
159 "transition-property", "transition-timing-function", "translate()",
160 "translatex()", "translatey()", "translatez()", "translate3d()", "turn",
161 "unicode-bidi", "unicode-range", "unset", "<uri>", "url()", "<user-ident>",
162 ":valid", "::value", "var()", "vertical-align", "vh", "@viewport",
163 "visibility", ":visited", "vmax", "vmin", "vw", "white-space", "widows",
164 "width", "will-change", "word-break", "word-spacing", "word-wrap",
165 "writing-mode", "z-index",
166
167 ]
168
169 webkit_prefixed_styles = [
170 # Webkit-prefixed styles
171 # https://developer.mozilla.org/en-US/docs/Web/CSS/Reference/Webkit_Extensions
172 "-webkit-animation", "-webkit-animation-delay", "-webkit-animation-direction",
173 "-webkit-animation-duration", "-webkit-animation-fill-mode",
174 "-webkit-animation-iteration-count", "-webkit-animation-name",
175 "-webkit-animation-play-state", "-webkit-animation-timing-function",
176 "-webkit-backface-visibility", "-webkit-border-image", "-webkit-column-count",
177 "-webkit-column-gap", "-webkit-column-width", "-webkit-column-rule",
178 "-webkit-column-rule-width", "-webkit-column-rule-style",
179 "-webkit-column-rule-color", "-webkit-columns", "-webkit-column-span",
180 "-webkit-font-feature-settings", "-webkit-font-kerning",
181 "-webkit-font-size-delta", "-webkit-font-variant-ligatures",
182 "-webkit-grid-column", "-webkit-grid-row", "-webkit-hyphens", "-webkit-mask",
183 "-webkit-mask-clip", "-webkit-mask-composite", "-webkit-mask-image",
184 "-webkit-mask-origin", "-webkit-mask-position", "-webkit-mask-repeat",
185 "-webkit-mask-size", "-webkit-perspective", "-webkit-perspective-origin",
186 "-webkit-region-fragment", "-webkit-shape-outside", "-webkit-text-emphasis",
187 "-webkit-text-emphasis-color", "-webkit-text-emphasis-position",
188 "-webkit-text-emphasis-style", "-webkit-transform", "-webkit-transform-origin",
189 "-webkit-transform-style", "-webkit-transition", "-webkit-transition-delay",
190 "-webkit-transition-duration", "-webkit-transition-property",
191 "-webkit-transition-timing-function", "-epub-word-break", "-epub-writing-mode",
192 # WebKit-prefixed properties with an unprefixed counterpart
193 "-webkit-background-clip", "-webkit-background-origin",
194 "-webkit-background-size", "-webkit-border-bottom-left-radius",
195 "-webkit-border-bottom-right-radius", "-webkit-border-radius",
196 "-webkit-border-top-left-radius", "-webkit-border-top-right-radius",
197 "-webkit-box-sizing", "-epub-caption-side", "-webkit-opacity",
198 "-epub-text-transform",
199 ]
200
201 mozilla_prefixed_styles = [
202 "-moz-column-count", "-moz-column-fill", "-moz-column-gap",
203 "-moz-column-width", "-moz-column-rule", "-moz-column-rule-width",
204 "-moz-column-rule-style", "-moz-column-rule-color",
205 "-moz-font-feature-settings", "-moz-font-language-override", "-moz-hyphens",
206 "-moz-text-align-last", "-moz-text-decoration-color",
207 "-moz-text-decoration-line", "-moz-text-decoration-style",
208 ]
209
210 all_prefixed_styles = [
211 # From http://peter.sh/experiments/vendor-prefixed-css-property-overview/
212 "-ms-accelerator", "-webkit-app-region", "-webkit-appearance",
213 "-webkit-appearance", "-moz-appearance", "-webkit-aspect-ratio",
214 "-webkit-backdrop-filter", "backface-visibility",
215 "-webkit-backface-visibility", "backface-visibility", "backface-visibility",
216 "-webkit-background-composite", "-webkit-background-composite", "-moz-binding",
217 "-ms-block-progression", "-webkit-border-after", "-webkit-border-after",
218 "-webkit-border-after-color", "-webkit-border-after-color",
219 "-webkit-border-after-style", "-webkit-border-after-style",
220 "-webkit-border-after-width", "-webkit-border-after-width",
221 "-webkit-border-before", "-webkit-border-before",
222 "-webkit-border-before-color", "-webkit-border-before-color",
223 "-webkit-border-before-style", "-webkit-border-before-style",
224 "-webkit-border-before-width", "-webkit-border-before-width",
225 "-moz-border-bottom-colors", "-webkit-border-end", "-webkit-border-end",
226 "-moz-border-end", "-webkit-border-end-color", "-webkit-border-end-color",
227 "-moz-border-end-color", "-webkit-border-end-style",
228 "-webkit-border-end-style", "-moz-border-end-style",
229 "-webkit-border-end-width", "-webkit-border-end-width",
230 "-moz-border-end-width", "-webkit-border-fit",
231 "-webkit-border-horizontal-spacing", "-webkit-border-horizontal-spacing",
232 "-moz-border-left-colors", "-moz-border-right-colors", "-webkit-border-start",
233 "-webkit-border-start", "-moz-border-start", "-webkit-border-start-color",
234 "-webkit-border-start-color", "-moz-border-start-color",
235 "-webkit-border-start-style", "-webkit-border-start-style",
236 "-moz-border-start-style", "-webkit-border-start-width",
237 "-webkit-border-start-width", "-moz-border-start-width",
238 "-moz-border-top-colors", "-webkit-border-vertical-spacing",
239 "-webkit-border-vertical-spacing", "-webkit-box-align", "-webkit-box-align",
240 "-moz-box-align", "-webkit-box-decoration-break",
241 "-webkit-box-decoration-break", "box-decoration-break",
242 "-webkit-box-direction", "-webkit-box-direction", "-moz-box-direction",
243 "-webkit-box-flex", "-webkit-box-flex", "-moz-box-flex",
244 "-webkit-box-flex-group", "-webkit-box-flex-group", "-webkit-box-lines",
245 "-webkit-box-lines", "-webkit-box-ordinal-group", "-webkit-box-ordinal-group",
246 "-moz-box-ordinal-group", "-webkit-box-orient", "-webkit-box-orient",
247 "-moz-box-orient", "-webkit-box-pack", "-webkit-box-pack", "-moz-box-pack",
248 "-webkit-box-reflect", "-webkit-box-reflect", "clip-path", "-webkit-clip-path",
249 "clip-path", "clip-path", "-webkit-color-correction", "-webkit-column-axis",
250 "-webkit-column-break-after", "-webkit-column-break-after",
251 "-webkit-column-break-before", "-webkit-column-break-before",
252 "-webkit-column-break-inside", "-webkit-column-break-inside",
253 "-webkit-column-count", "column-count", "-moz-column-count", "column-count",
254 "column-fill", "column-fill", "-moz-column-fill", "column-fill",
255 "-webkit-column-gap", "column-gap", "-moz-column-gap", "column-gap",
256 "-webkit-column-rule", "column-rule", "-moz-column-rule", "column-rule",
257 "-webkit-column-rule-color", "column-rule-color", "-moz-column-rule-color",
258 "column-rule-color", "-webkit-column-rule-style", "column-rule-style",
259 "-moz-column-rule-style", "column-rule-style", "-webkit-column-rule-width",
260 "column-rule-width", "-moz-column-rule-width", "column-rule-width",
261 "-webkit-column-span", "column-span", "column-span", "-webkit-column-width",
262 "column-width", "-moz-column-width", "column-width", "-webkit-columns",
263 "columns", "-moz-columns", "columns", "-ms-content-zoom-chaining",
264 "-ms-content-zoom-limit", "-ms-content-zoom-limit-max",
265 "-ms-content-zoom-limit-min", "-ms-content-zoom-snap",
266 "-ms-content-zoom-snap-points", "-ms-content-zoom-snap-type",
267 "-ms-content-zooming", "-moz-control-character-visibility",
268 "-webkit-cursor-visibility", "-webkit-dashboard-region", "filter",
269 "-webkit-filter", "filter", "filter", "-ms-flex-align", "-ms-flex-item-align",
270 "-ms-flex-line-pack", "-ms-flex-negative", "-ms-flex-order", "-ms-flex-pack",
271 "-ms-flex-positive", "-ms-flex-preferred-size", "-moz-float-edge",
272 "-webkit-flow-from", "-ms-flow-from", "-webkit-flow-into", "-ms-flow-into",
273 "-webkit-font-feature-settings", "-webkit-font-feature-settings",
274 "font-feature-settings", "font-feature-settings", "font-kerning",
275 "-webkit-font-kerning", "font-kerning", "-webkit-font-size-delta",
276 "-webkit-font-size-delta", "-webkit-font-smoothing", "-webkit-font-smoothing",
277 "font-variant-ligatures", "-webkit-font-variant-ligatures",
278 "font-variant-ligatures", "-moz-force-broken-image-icon", "grid",
279 "-webkit-grid", "grid", "grid-area", "-webkit-grid-area", "grid-area",
280 "grid-auto-columns", "-webkit-grid-auto-columns", "grid-auto-columns",
281 "grid-auto-flow", "-webkit-grid-auto-flow", "grid-auto-flow", "grid-auto-rows",
282 "-webkit-grid-auto-rows", "grid-auto-rows", "grid-column",
283 "-webkit-grid-column", "grid-column", "-ms-grid-column",
284 "-ms-grid-column-align", "grid-column-end", "-webkit-grid-column-end",
285 "grid-column-end", "-ms-grid-column-span", "grid-column-start",
286 "-webkit-grid-column-start", "grid-column-start", "-ms-grid-columns",
287 "grid-row", "-webkit-grid-row", "grid-row", "-ms-grid-row",
288 "-ms-grid-row-align", "grid-row-end", "-webkit-grid-row-end", "grid-row-end",
289 "-ms-grid-row-span", "grid-row-start", "-webkit-grid-row-start",
290 "grid-row-start", "-ms-grid-rows", "grid-template", "-webkit-grid-template",
291 "grid-template", "grid-template-areas", "-webkit-grid-template-areas",
292 "grid-template-areas", "grid-template-columns",
293 "-webkit-grid-template-columns", "grid-template-columns", "grid-template-rows",
294 "-webkit-grid-template-rows", "grid-template-rows", "-ms-high-contrast-adjust",
295 "-webkit-highlight", "-webkit-hyphenate-character",
296 "-webkit-hyphenate-character", "-webkit-hyphenate-limit-after",
297 "-webkit-hyphenate-limit-before", "-ms-hyphenate-limit-chars",
298 "-webkit-hyphenate-limit-lines", "-ms-hyphenate-limit-lines",
299 "-ms-hyphenate-limit-zone", "-webkit-hyphens", "-moz-hyphens", "-ms-hyphens",
300 "-moz-image-region", "-ms-ime-align", "-webkit-initial-letter",
301 "-ms-interpolation-mode", "justify-self", "-webkit-justify-self",
302 "-webkit-line-align", "-webkit-line-box-contain", "-webkit-line-box-contain",
303 "-webkit-line-break", "-webkit-line-break", "line-break", "-webkit-line-clamp",
304 "-webkit-line-clamp", "-webkit-line-grid", "-webkit-line-snap",
305 "-webkit-locale", "-webkit-locale", "-webkit-logical-height",
306 "-webkit-logical-height", "-webkit-logical-width", "-webkit-logical-width",
307 "-webkit-margin-after", "-webkit-margin-after",
308 "-webkit-margin-after-collapse", "-webkit-margin-after-collapse",
309 "-webkit-margin-before", "-webkit-margin-before",
310 "-webkit-margin-before-collapse", "-webkit-margin-before-collapse",
311 "-webkit-margin-bottom-collapse", "-webkit-margin-bottom-collapse",
312 "-webkit-margin-collapse", "-webkit-margin-collapse", "-webkit-margin-end",
313 "-webkit-margin-end", "-moz-margin-end", "-webkit-margin-start",
314 "-webkit-margin-start", "-moz-margin-start", "-webkit-margin-top-collapse",
315 "-webkit-margin-top-collapse", "-webkit-marquee", "-webkit-marquee-direction",
316 "-webkit-marquee-increment", "-webkit-marquee-repetition",
317 "-webkit-marquee-speed", "-webkit-marquee-style", "mask", "-webkit-mask",
318 "mask", "-webkit-mask-box-image", "-webkit-mask-box-image",
319 "-webkit-mask-box-image-outset", "-webkit-mask-box-image-outset",
320 "-webkit-mask-box-image-repeat", "-webkit-mask-box-image-repeat",
321 "-webkit-mask-box-image-slice", "-webkit-mask-box-image-slice",
322 "-webkit-mask-box-image-source", "-webkit-mask-box-image-source",
323 "-webkit-mask-box-image-width", "-webkit-mask-box-image-width",
324 "-webkit-mask-clip", "-webkit-mask-clip", "-webkit-mask-composite",
325 "-webkit-mask-composite", "-webkit-mask-image", "-webkit-mask-image",
326 "-webkit-mask-origin", "-webkit-mask-origin", "-webkit-mask-position",
327 "-webkit-mask-position", "-webkit-mask-position-x", "-webkit-mask-position-x",
328 "-webkit-mask-position-y", "-webkit-mask-position-y", "-webkit-mask-repeat",
329 "-webkit-mask-repeat", "-webkit-mask-repeat-x", "-webkit-mask-repeat-x",
330 "-webkit-mask-repeat-y", "-webkit-mask-repeat-y", "-webkit-mask-size",
331 "-webkit-mask-size", "mask-source-type", "-webkit-mask-source-type",
332 "-moz-math-display", "-moz-math-variant", "-webkit-max-logical-height",
333 "-webkit-max-logical-height", "-webkit-max-logical-width",
334 "-webkit-max-logical-width", "-webkit-min-logical-height",
335 "-webkit-min-logical-height", "-webkit-min-logical-width",
336 "-webkit-min-logical-width", "-webkit-nbsp-mode", "-moz-orient",
337 "-moz-osx-font-smoothing", "-moz-outline-radius",
338 "-moz-outline-radius-bottomleft", "-moz-outline-radius-bottomright",
339 "-moz-outline-radius-topleft", "-moz-outline-radius-topright",
340 "-webkit-overflow-scrolling", "-ms-overflow-style", "-webkit-padding-after",
341 "-webkit-padding-after", "-webkit-padding-before", "-webkit-padding-before",
342 "-webkit-padding-end", "-webkit-padding-end", "-moz-padding-end",
343 "-webkit-padding-start", "-webkit-padding-start", "-moz-padding-start",
344 "perspective", "-webkit-perspective", "perspective", "perspective",
345 "perspective-origin", "-webkit-perspective-origin", "perspective-origin",
346 "perspective-origin", "-webkit-perspective-origin-x",
347 "-webkit-perspective-origin-x", "perspective-origin-x",
348 "-webkit-perspective-origin-y", "-webkit-perspective-origin-y",
349 "perspective-origin-y", "-webkit-print-color-adjust",
350 "-webkit-print-color-adjust", "-webkit-region-break-after",
351 "-webkit-region-break-before", "-webkit-region-break-inside",
352 "-webkit-region-fragment", "-webkit-rtl-ordering", "-webkit-rtl-ordering",
353 "-webkit-ruby-position", "-webkit-ruby-position", "ruby-position",
354 "-moz-script-level", "-moz-script-min-size", "-moz-script-size-multiplier",
355 "-ms-scroll-chaining", "-ms-scroll-limit", "-ms-scroll-limit-x-max",
356 "-ms-scroll-limit-x-min", "-ms-scroll-limit-y-max", "-ms-scroll-limit-y-min",
357 "-ms-scroll-rails", "-webkit-scroll-snap-coordinate",
358 "-webkit-scroll-snap-destination", "-webkit-scroll-snap-points-x",
359 "-ms-scroll-snap-points-x", "-webkit-scroll-snap-points-y",
360 "-ms-scroll-snap-points-y", "-webkit-scroll-snap-type", "-ms-scroll-snap-type",
361 "-ms-scroll-snap-x", "-ms-scroll-snap-y", "-ms-scroll-translation",
362 "-ms-scrollbar-3dlight-color", "shape-image-threshold",
363 "-webkit-shape-image-threshold", "shape-margin", "-webkit-shape-margin",
364 "shape-outside", "-webkit-shape-outside", "-moz-stack-sizing", "tab-size",
365 "tab-size", "-moz-tab-size", "-webkit-tap-highlight-color",
366 "-webkit-tap-highlight-color", "text-align-last", "-webkit-text-align-last",
367 "-moz-text-align-last", "text-align-last", "-webkit-text-combine",
368 "-webkit-text-combine", "-ms-text-combine-horizontal", "text-decoration-color",
369 "-webkit-text-decoration-color", "text-decoration-color",
370 "text-decoration-color", "text-decoration-line",
371 "-webkit-text-decoration-line", "text-decoration-line",
372 "-webkit-text-decoration-skip", "text-decoration-style",
373 "-webkit-text-decoration-style", "text-decoration-style",
374 "-webkit-text-decorations-in-effect", "-webkit-text-decorations-in-effect",
375 "-webkit-text-emphasis", "text-emphasis", "-webkit-text-emphasis-color",
376 "text-emphasis-color", "-webkit-text-emphasis-position",
377 "text-emphasis-position", "-webkit-text-emphasis-style", "text-emphasis-style",
378 "-webkit-text-fill-color", "-webkit-text-fill-color", "text-justify",
379 "-webkit-text-justify", "text-justify", "-webkit-text-orientation",
380 "-webkit-text-orientation", "text-orientation", "-webkit-text-security",
381 "-webkit-text-security", "-webkit-text-size-adjust", "-moz-text-size-adjust",
382 "-ms-text-size-adjust", "-webkit-text-stroke", "-webkit-text-stroke",
383 "-webkit-text-stroke-color", "-webkit-text-stroke-color",
384 "-webkit-text-stroke-width", "-webkit-text-stroke-width",
385 "text-underline-position", "-webkit-text-underline-position",
386 "text-underline-position", "-webkit-touch-callout", "-ms-touch-select",
387 "transform", "-webkit-transform", "transform", "transform", "transform-origin",
388 "-webkit-transform-origin", "transform-origin", "transform-origin",
389 "-webkit-transform-origin-x", "-webkit-transform-origin-x",
390 "transform-origin-x", "-webkit-transform-origin-y",
391 "-webkit-transform-origin-y", "transform-origin-y",
392 "-webkit-transform-origin-z", "-webkit-transform-origin-z",
393 "transform-origin-z", "transform-style", "-webkit-transform-style",
394 "transform-style", "transform-style", "-webkit-user-drag", "-webkit-user-drag",
395 "-moz-user-focus", "-moz-user-input", "-webkit-user-modify",
396 "-webkit-user-modify", "-moz-user-modify", "-webkit-user-select",
397 "-webkit-user-select", "-moz-user-select", "-ms-user-select",
398 "-moz-window-dragging", "-moz-window-shadow", "-ms-wrap-flow",
399 "-ms-wrap-margin", "-ms-wrap-through", "writing-mode", "-webkit-writing-mode",
400 "writing-mode", "writing-mode",
401 ]
402
403 all_styles = standard_styles + all_prefixed_styles No newline at end of file
Show file before | Show file after | Hide comments
@@ -28,6 +28,7 b' import os'
28 import lxml
28 import lxml
29 import logging
29 import logging
30 import urlparse
30 import urlparse
31 import bleach
31
32
32 from mako.lookup import TemplateLookup
33 from mako.lookup import TemplateLookup
33 from mako.template import Template as MakoTemplate
34 from mako.template import Template as MakoTemplate
@@ -181,12 +182,13 b' class MarkupRenderer(object):'
181 r'|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)')
182 r'|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)')
182
183
183 extensions = ['codehilite', 'extra', 'def_list', 'sane_lists']
184 extensions = ['codehilite', 'extra', 'def_list', 'sane_lists']
185 output_format = 'html4'
184 markdown_renderer = markdown.Markdown(
186 markdown_renderer = markdown.Markdown(
185 extensions, safe_mode=True, enable_attributes=False)
187 extensions, enable_attributes=False, output_format=output_format)
186
188
187 markdown_renderer_flavored = markdown.Markdown(
189 markdown_renderer_flavored = markdown.Markdown(
188 extensions + [GithubFlavoredMarkdownExtension()], safe_mode=True,
190 extensions + [GithubFlavoredMarkdownExtension()],
189 enable_attributes=False)
191 enable_attributes=False, output_format=output_format)
190
192
191 # extension together with weights. Lower is first means we control how
193 # extension together with weights. Lower is first means we control how
192 # extensions are attached to readme names with those.
194 # extensions are attached to readme names with those.
@@ -234,6 +236,13 b' class MarkupRenderer(object):'
234 return getattr(MarkupRenderer, detected_renderer)
236 return getattr(MarkupRenderer, detected_renderer)
235
237
236 @classmethod
238 @classmethod
239 def bleach_clean(cls, text):
240 from .bleach_whitelist import markdown_attrs, markdown_tags
241 allowed_tags = markdown_tags
242 allowed_attrs = markdown_attrs
243 return bleach.clean(text, tags=allowed_tags, attributes=allowed_attrs)
244
245 @classmethod
237 def renderer_from_filename(cls, filename, exclude):
246 def renderer_from_filename(cls, filename, exclude):
238 """
247 """
239 Detect renderer markdown/rst from filename and optionally use exclude
248 Detect renderer markdown/rst from filename and optionally use exclude
@@ -320,10 +329,11 b' class MarkupRenderer(object):'
320 return '<br />' + source.replace("\n", '<br />')
329 return '<br />' + source.replace("\n", '<br />')
321
330
322 @classmethod
331 @classmethod
323 def markdown(cls, source, safe=True, flavored=True, mentions=False):
332 def markdown(cls, source, safe=True, flavored=True, mentions=False,
324 # It does not allow to insert inline HTML. In presence of HTML tags, it
333 clean_html=True):
325 # will replace them instead with [HTML_REMOVED]. This is controlled by
334 """
326 # the safe_mode=True parameter of the markdown method.
335 returns markdown rendered code cleaned by the bleach library
336 """
327
337
328 if flavored:
338 if flavored:
329 markdown_renderer = cls.markdown_renderer_flavored
339 markdown_renderer = cls.markdown_renderer_flavored
@@ -342,10 +352,14 b' class MarkupRenderer(object):'
342 mentions=False)
352 mentions=False)
343
353
344 source = safe_unicode(source)
354 source = safe_unicode(source)
355
345 try:
356 try:
346 if flavored:
357 if flavored:
347 source = cls._flavored_markdown(source)
358 source = cls._flavored_markdown(source)
348 return markdown_renderer.convert(source)
359 rendered = markdown_renderer.convert(source)
360 if clean_html:
361 rendered = cls.bleach_clean(rendered)
362 return rendered
349 except Exception:
363 except Exception:
350 log.exception('Error when rendering Markdown')
364 log.exception('Error when rendering Markdown')
351 if safe:
365 if safe:
@@ -355,7 +369,7 b' class MarkupRenderer(object):'
355 raise
369 raise
356
370
357 @classmethod
371 @classmethod
358 def rst(cls, source, safe=True, mentions=False):
372 def rst(cls, source, safe=True, mentions=False, clean_html=False):
359 if mentions:
373 if mentions:
360 mention_pat = re.compile(MENTIONS_REGEX)
374 mention_pat = re.compile(MENTIONS_REGEX)
361
375
@@ -372,8 +386,8 b' class MarkupRenderer(object):'
372 [(alias, None) for alias in
386 [(alias, None) for alias in
373 cls.RESTRUCTUREDTEXT_DISALLOWED_DIRECTIVES])
387 cls.RESTRUCTUREDTEXT_DISALLOWED_DIRECTIVES])
374
388
375 docutils_settings.update({'input_encoding': 'unicode',
389 docutils_settings.update({
376 'report_level': 4})
390 'input_encoding': 'unicode', 'report_level': 4})
377
391
378 for k, v in docutils_settings.iteritems():
392 for k, v in docutils_settings.iteritems():
379 directives.register_directive(k, v)
393 directives.register_directive(k, v)
@@ -381,8 +395,10 b' class MarkupRenderer(object):'
381 parts = publish_parts(source=source,
395 parts = publish_parts(source=source,
382 writer=RhodeCodeWriter(),
396 writer=RhodeCodeWriter(),
383 settings_overrides=docutils_settings)
397 settings_overrides=docutils_settings)
384
398 rendered = parts["fragment"]
385 return parts['html_title'] + parts["fragment"]
399 if clean_html:
400 rendered = cls.bleach_clean(rendered)
401 return parts['html_title'] + rendered
386 except Exception:
402 except Exception:
387 log.exception('Error when rendering RST')
403 log.exception('Error when rendering RST')
388 if safe:
404 if safe:
Show file before | Show file after | Hide comments
@@ -67,9 +67,429 b' def test_markdown_xss_inline_html():'
67
67
68 def test_markdown_inline_html():
68 def test_markdown_inline_html():
69 xss_md = '\n'.join(['> <a name="n"',
69 xss_md = '\n'.join(['> <a name="n"',
70 '> href="https://rhodecode.com">link</a>'])
70 '> onload="javascript:alert()" href="https://rhodecode.com">link</a>'])
71 rendered_html = MarkupRenderer.markdown(xss_md)
71 rendered_html = MarkupRenderer.markdown(xss_md)
72 assert '[HTML_REMOVED]link[HTML_REMOVED]' in rendered_html
72 assert '<a href="https://rhodecode.com" name="n">link</a>' in rendered_html
73
74
75 def test_markdown_bleach_renders_correct():
76 test_md = """
77 This is intended as a quick reference and showcase. For more complete info, see [John Gruber's original spec](http://daringfireball.net/projects/markdown/) and the [Github-flavored Markdown info page](http://github.github.com/github-flavored-markdown/).
78
79 Note that there is also a [Cheatsheet specific to Markdown Here](./Markdown-Here-Cheatsheet) if that's what you're looking for. You can also check out [more Markdown tools](./Other-Markdown-Tools).
80
81 ##### Table of Contents
82 [Headers](#headers)
83 [Emphasis](#emphasis)
84 [Lists](#lists)
85 [Links](#links)
86 [Images](#images)
87 [Code and Syntax Highlighting](#code)
88 [Tables](#tables)
89 [Blockquotes](#blockquotes)
90 [Inline HTML](#html)
91 [Horizontal Rule](#hr)
92 [Line Breaks](#lines)
93 [Youtube videos](#videos)
94
95
96 ## Headers
97
98 ```no-highlight
99 # H1
100 ## H2
101 ### H3
102 #### H4
103 ##### H5
104 ###### H6
105
106 Alternatively, for H1 and H2, an underline-ish style:
107
108 Alt-H1
109 ======
110
111 Alt-H2
112 ------
113 ```
114
115 # H1
116 ## H2
117 ### H3
118 #### H4
119 ##### H5
120 ###### H6
121
122 Alternatively, for H1 and H2, an underline-ish style:
123
124 Alt-H1
125 ======
126
127 Alt-H2
128 ------
129
130 ## Emphasis
131
132 ```no-highlight
133 Emphasis, aka italics, with *asterisks* or _underscores_.
134
135 Strong emphasis, aka bold, with **asterisks** or __underscores__.
136
137 Combined emphasis with **asterisks and _underscores_**.
138
139 Strikethrough uses two tildes. ~~Scratch this.~~
140 ```
141
142 Emphasis, aka italics, with *asterisks* or _underscores_.
143
144 Strong emphasis, aka bold, with **asterisks** or __underscores__.
145
146 Combined emphasis with **asterisks and _underscores_**.
147
148 Strikethrough uses two tildes. ~~Scratch this.~~
149
150
151 ## Lists
152
153 (In this example, leading and trailing spaces are shown with with dots: β‹…)
154
155 ```no-highlight
156 1. First ordered list item
157 2. Another item
158 β‹…β‹…* Unordered sub-list.
159 1. Actual numbers don't matter, just that it's a number
160 β‹…β‹…1. Ordered sub-list
161 4. And another item.
162
163 β‹…β‹…β‹…You can have properly indented paragraphs within list items. Notice the blank line above, and the leading spaces (at least one, but we'll use three here to also align the raw Markdown).
164
165 β‹…β‹…β‹…To have a line break without a paragraph, you will need to use two trailing spaces.β‹…β‹…
166 β‹…β‹…β‹…Note that this line is separate, but within the same paragraph.β‹…β‹…
167 β‹…β‹…β‹…(This is contrary to the typical GFM line break behaviour, where trailing spaces are not required.)
168
169 * Unordered list can use asterisks
170 - Or minuses
171 + Or pluses
172 ```
173
174 1. First ordered list item
175 2. Another item
176 * Unordered sub-list.
177 1. Actual numbers don't matter, just that it's a number
178 1. Ordered sub-list
179 4. And another item.
180
181 You can have properly indented paragraphs within list items. Notice the blank line above, and the leading spaces (at least one, but we'll use three here to also align the raw Markdown).
182
183 To have a line break without a paragraph, you will need to use two trailing spaces.
184 Note that this line is separate, but within the same paragraph.
185 (This is contrary to the typical GFM line break behaviour, where trailing spaces are not required.)
186
187 * Unordered list can use asterisks
188 - Or minuses
189 + Or pluses
190
191
192 ## Links
193
194 There are two ways to create links.
195
196 ```no-highlight
197 [I'm an inline-style link](https://www.google.com)
198
199 [I'm an inline-style link with title](https://www.google.com "Google's Homepage")
200
201 [I'm a reference-style link][Arbitrary case-insensitive reference text]
202
203 [I'm a relative reference to a repository file (LICENSE)](./LICENSE)
204
205 [I'm a relative reference to a repository file (IMAGE)](./img/logo.png)
206
207 [I'm a relative reference to a repository file (IMAGE2)](img/logo.png)
208
209 [You can use numbers for reference-style link definitions][1]
210
211 Or leave it empty and use the [link text itself].
212
213 URLs and URLs in angle brackets will automatically get turned into links.
214 http://www.example.com or <http://www.example.com> and sometimes
215 example.com (but not on Github, for example).
216
217 Some text to show that the reference links can follow later.
218
219 [arbitrary case-insensitive reference text]: https://www.mozilla.org
220 [1]: http://slashdot.org
221 [link text itself]: http://www.reddit.com
222 ```
223
224 [I'm an inline-style link](https://www.google.com)
225
226 [I'm an inline-style link with title](https://www.google.com "Google's Homepage")
227
228 [I'm a reference-style link][Arbitrary case-insensitive reference text]
229
230 [I'm a relative reference to a repository file (LICENSE)](./LICENSE)
231
232 [I'm a relative reference to a repository file (IMAGE)](./img/logo.png)
233
234 [I'm a relative reference to a repository file (IMAGE2)](img/logo.png)
235
236 [You can use numbers for reference-style link definitions][1]
237
238 Or leave it empty and use the [link text itself].
239
240 URLs and URLs in angle brackets will automatically get turned into links.
241 http://www.example.com or <http://www.example.com> and sometimes
242 example.com (but not on Github, for example).
243
244 Some text to show that the reference links can follow later.
245
246 [arbitrary case-insensitive reference text]: https://www.mozilla.org
247 [1]: http://slashdot.org
248 [link text itself]: http://www.reddit.com
249
250
251 ## Images
252
253 ```no-highlight
254 Here's our logo (hover to see the title text):
255
256 Inline-style:
257 ![alt text](https://github.com/adam-p/markdown-here/raw/master/src/common/images/icon48.png "Logo Title Text 1")
258
259 relative-src-style:
260 ![alt text](img/logo.png)
261
262 Reference-style:
263 ![alt text][logo]
264
265 [logo]: https://github.com/adam-p/markdown-here/raw/master/src/common/images/icon48.png "Logo Title Text 2"
266 ```
267
268 Here's our logo (hover to see the title text):
269
270 Inline-style:
271 ![alt text](https://github.com/adam-p/markdown-here/raw/master/src/common/images/icon48.png "Logo Title Text 1")
272
273 relative-src-style:
274 ![alt text](img/logo.png)
275
276 relative-src-style:
277 ![alt text](./img/logo.png)
278
279 Reference-style:
280 ![alt text][logo]
281
282 [logo]: https://github.com/adam-p/markdown-here/raw/master/src/common/images/icon48.png "Logo Title Text 2"
283
284
285 ## Code and Syntax Highlighting
286
287 Code blocks are part of the Markdown spec, but syntax highlighting isn't. However, many renderers -- like Github's and *Markdown Here* -- support syntax highlighting. Which languages are supported and how those language names should be written will vary from renderer to renderer. *Markdown Here* supports highlighting for dozens of languages (and not-really-languages, like diffs and HTTP headers); to see the complete list, and how to write the language names, see the [highlight.js demo page](http://softwaremaniacs.org/media/soft/highlight/test.html).
288
289 ```no-highlight
290 Inline `code` has `back-ticks around` it.
291 ```
292
293 Inline `code` has `back-ticks around` it.
294
295 Blocks of code are either fenced by lines with three back-ticks <code>```</code>, or are indented with four spaces. I recommend only using the fenced code blocks -- they're easier and only they support syntax highlighting.
296
297 ```javascript
298 var s = "JavaScript syntax highlighting";
299 console.log(s);
300 ```
301
302 ```python
303 s = "Python syntax highlighting"
304 print s
305 ```
306
307 ```
308 No language indicated, so no syntax highlighting.
309 But let's throw in a &lt;b&gt;tag&lt;/b&gt;.
310 ```
311
312
313 ```javascript
314 var s = "JavaScript syntax highlighting";
315 alert(s);
316 ```
317
318 ```python
319 s = "Python syntax highlighting"
320 print s
321 ```
322
323 ```
324 No language indicated, so no syntax highlighting in Markdown Here (varies on Github).
325 But let's throw in a <b>tag</b>.
326 ```
327
328
329 ## Tables
330
331 Tables aren't part of the core Markdown spec, but they are part of GFM and *Markdown Here* supports them. They are an easy way of adding tables to your email -- a task that would otherwise require copy-pasting from another application.
332
333 ```no-highlight
334 Colons can be used to align columns.
335
336 | Tables | Are | Cool |
337 | ------------- |:-------------:| -----:|
338 | col 3 is | right-aligned | $1600 |
339 | col 2 is | centered | $12 |
340 | zebra stripes | are neat | $1 |
341
342 There must be at least 3 dashes separating each header cell.
343 The outer pipes (|) are optional, and you don't need to make the
344 raw Markdown line up prettily. You can also use inline Markdown.
345
346 Markdown | Less | Pretty
347 --- | --- | ---
348 *Still* | `renders` | **nicely**
349 1 | 2 | 3
350 ```
351
352 Colons can be used to align columns.
353
354 | Tables | Are | Cool |
355 | ------------- |:-------------:| -----:|
356 | col 3 is | right-aligned | $1600 |
357 | col 2 is | centered | $12 |
358 | zebra stripes | are neat | $1 |
359
360 There must be at least 3 dashes separating each header cell. The outer pipes (|) are optional, and you don't need to make the raw Markdown line up prettily. You can also use inline Markdown.
361
362 Markdown | Less | Pretty
363 --- | --- | ---
364 *Still* | `renders` | **nicely**
365 1 | 2 | 3
366
367
368 ## Blockquotes
369
370 ```no-highlight
371 > Blockquotes are very handy in email to emulate reply text.
372 > This line is part of the same quote.
373
374 Quote break.
375
376 > This is a very long line that will still be quoted properly when it wraps. Oh boy let's keep writing to make sure this is long enough to actually wrap for everyone. Oh, you can *put* **Markdown** into a blockquote.
377 ```
378
379 > Blockquotes are very handy in email to emulate reply text.
380 > This line is part of the same quote.
381
382 Quote break.
383
384 > This is a very long line that will still be quoted properly when it wraps. Oh boy let's keep writing to make sure this is long enough to actually wrap for everyone. Oh, you can *put* **Markdown** into a blockquote.
385
386
387 ## Inline HTML
388
389 You can also use raw HTML in your Markdown, and it'll mostly work pretty well.
390
391 ```no-highlight
392 <dl>
393 <dt>Definition list</dt>
394 <dd>Is something people use sometimes.</dd>
395
396 <dt>Markdown in HTML</dt>
397 <dd>Does *not* work **very** well. Use HTML <em>tags</em>.</dd>
398 </dl>
399 ```
400
401 <dl>
402 <dt>Definition list</dt>
403 <dd>Is something people use sometimes.</dd>
404
405 <dt>Markdown in HTML</dt>
406 <dd>Does *not* work **very** well. Use HTML <em>tags</em>.</dd>
407 </dl>
408
409
410 ## Horizontal Rule
411
412 ```
413 Three or more...
414
415 ---
416
417 Hyphens
418
419 ***
420
421 Asterisks
422
423 ___
424
425 Underscores
426 ```
427
428 Three or more...
429
430 ---
431
432 Hyphens
433
434 ***
435
436 Asterisks
437
438 ___
439
440 Underscores
441
442
443 ## Line Breaks
444
445 My basic recommendation for learning how line breaks work is to experiment and discover -- hit &lt;Enter&gt; once (i.e., insert one newline), then hit it twice (i.e., insert two newlines), see what happens. You'll soon learn to get what you want. "Markdown Toggle" is your friend.
446
447 Here are some things to try out:
448
449 ```
450 Here's a line for us to start with.
451
452 This line is separated from the one above by two newlines, so it will be a *separate paragraph*.
453
454 This line is also a separate paragraph, but...
455 This line is only separated by a single newline, so it's a separate line in the *same paragraph*.
456 ```
457
458 Here's a line for us to start with.
459
460 This line is separated from the one above by two newlines, so it will be a *separate paragraph*.
461
462 This line is also begins a separate paragraph, but...
463 This line is only separated by a single newline, so it's a separate line in the *same paragraph*.
464
465 (Technical note: *Markdown Here* uses GFM line breaks, so there's no need to use MD's two-space line breaks.)
466
467
468 ## Youtube videos
469
470 They can't be added directly but you can add an image with a link to the video like this:
471
472 ```no-highlight
473 <a href="http://www.youtube.com/watch?feature=player_embedded&v=YOUTUBE_VIDEO_ID_HERE
474 " target="_blank"><img src="http://img.youtube.com/vi/YOUTUBE_VIDEO_ID_HERE/0.jpg"
475 alt="IMAGE ALT TEXT HERE" width="240" height="180" border="10" /></a>
476 ```
477
478 Or, in pure Markdown, but losing the image sizing and border:
479
480 ```no-highlight
481 [![IMAGE ALT TEXT HERE](http://img.youtube.com/vi/YOUTUBE_VIDEO_ID_HERE/0.jpg)](http://www.youtube.com/watch?v=YOUTUBE_VIDEO_ID_HERE)
482 ```
483
484 Referencing a bug by #bugID in your git commit links it to the slip. For example #1.
485
486 ---
487
488 License: [CC-BY](https://creativecommons.org/licenses/by/3.0/)
489 """
490 raw_rendered_html = MarkupRenderer.markdown(test_md, clean_html=False)
491 bleached_rendered_html = MarkupRenderer.markdown(test_md, clean_html=True)
492 assert raw_rendered_html == bleached_rendered_html
73
493
74
494
75 def test_rst_xss_link():
495 def test_rst_xss_link():
General Comments 0
You need to be logged in to leave comments. Login now