fU ddlmZddlZddlZddlmZddlmZddlmZe dZ ddgdgdgd Z e d Z d jeedd ed deddDcgc] }e| c}Zej"dezdzej$ZdZGddeZGddZdZGddej2Zycc}w))chainN)unescape) html5lib_shim) parse_shim) aabbracronymb blockquotecodeemiliolstrongulhreftitle)rrr )httphttpsmailto  []?c eZdZy)NoCssSanitizerWarningN)__name__ __module__ __qualname__K/var/www/cvtools/html/venv/lib/python3.12/site-packages/bleach/sanitizer.pyr"r"5sr'r"c,eZdZdZeeeddddfdZdZy)CleaneraCleaner for cleaning HTML fragments of malicious content This cleaner is a security-focused function whose sole purpose is to remove malicious content from a string such that it can be displayed as content in a web page. To use:: from bleach.sanitizer import Cleaner cleaner = Cleaner() for text in all_the_yucky_things: sanitized = cleaner.clean(text) .. Note:: This cleaner is not designed to use to transform content to be used in non-web-page contexts. .. Warning:: This cleaner is not thread-safe--the html parser has internal state. Create a separate cleaner per thread! FTNcT||_||_||_||_||_|xsg|_||_tj|j|jdd|_ tjd|_ tjdddddd|_ |g}t|tr|}nOt|t r?g}|j#D]*} t| tt$fs|j'| ,d|vrt)j*d t, yyy) a:Initializes a Cleaner :arg set tags: set of allowed tags; defaults to ``bleach.sanitizer.ALLOWED_TAGS`` :arg dict attributes: allowed attributes; can be a callable, list or dict; defaults to ``bleach.sanitizer.ALLOWED_ATTRIBUTES`` :arg list protocols: allowed list of protocols for links; defaults to ``bleach.sanitizer.ALLOWED_PROTOCOLS`` :arg bool strip: whether or not to strip disallowed elements :arg bool strip_comments: whether or not to strip HTML comments :arg list filters: list of html5lib Filter classes to pass streamed content through .. seealso:: http://html5lib.readthedocs.io/en/latest/movingparts.html#filters .. Warning:: Using filters changes the output of ``bleach.Cleaner.clean``. Make sure the way the filters change the output are secure. :arg CSSSanitizer css_sanitizer: instance with a "sanitize_css" method for sanitizing style attribute values and style text; defaults to None F)tagsstripconsume_entitiesnamespaceHTMLElementsetreealwaysT)quote_attr_valuesomit_optional_tagsescape_lt_in_attrsresolve_entitiessanitizealphabetical_attributesNstylez7'style' attribute specified, but css_sanitizer not set.)category)r, attributes protocolsr-strip_commentsfilters css_sanitizerrBleachHTMLParserparser getTreeWalkerwalkerBleachHTMLSerializer serializer isinstancelistdictvaluestupleextendwarningswarnr") selfr,r:r;r-r<r=r>attributes_valuesrHs r(__init__zCleaner.__init__Vs'L $" ,}" *#44**""'   $11': '<<&$##$)    !# *d+$.!J-$&!(//19F!&4-8)0089++ M2, !r'c t|ts(d|jjddz}t ||sy|j j |}t|j||j|j|j|j|j|j}|jD] }||} |j j#|S)zCleans text and returns sanitized result as unicode :arg str text: text to be cleaned :returns: sanitized text as unicode :raises TypeError: if ``text`` is not a text type zargument cannot be of z type, zmust be of text typer)source allowed_tagsr:strip_disallowed_tagsstrip_html_commentsr>allowed_protocols)rQ)rEstr __class__r# TypeErrorr@ parseFragmentBleachSanitizerFilterrBr,r:r-r<r>r;r=rDrender)rMtextmessagedomfiltered filter_classs r(cleanz Cleaner.cleans$$()@)@(C7K() G$ $kk''-(;;s#"&** $ 3 3,,"nn !LL 5L#84H 5%%h//r') r#r$r%__doc__ ALLOWED_TAGSALLOWED_ATTRIBUTESALLOWED_PROTOCOLSrOrar&r'r(r*r*9s*<%#Sj#0r'r*ctrSttrfd}|Sttrfd}|St d)a0Generates attribute filter function for the given attributes value The attributes value can take one of several shapes. This returns a filter function appropriate to the attributes value. One nice thing about this is that there's less if/then shenanigans in the ``allow_token`` method. c|vr|}t|r ||||S||vrydvrd}t|r ||||S||vSy)NT*F)callable)tagattrvalueattr_valr:s r( _attr_filterz.attribute_filter_factory.._attr_filterslj %c?H%#Cu558#j %c?H%#Cu55x''r'c |vSNr&)rjrkrlr:s r(rnz.attribute_filter_factory.._attr_filters:% %r'z3attributes needs to be a callable, a list or a dict)rirErGrF ValueError)r:rns` r(attribute_filter_factoryrrsM *d# $*d# & J KKr'c eZdZdZeeeejejejdddf dZ dZ dZ dZd Zd Zd Zd Zd Zy)rZzmhtml5lib Filter that sanitizes text This filter can be used anywhere html5lib filters can be used. FTNc tjj||t||_t||_t ||_||_| |_ ||_ ||_ | |_ ||_ y)a_Creates a BleachSanitizerFilter instance :arg source: html5lib TreeWalker stream as an html5lib TreeWalker :arg set allowed_tags: set of allowed tags; defaults to ``bleach.sanitizer.ALLOWED_TAGS`` :arg dict attributes: allowed attributes; can be a callable, list or dict; defaults to ``bleach.sanitizer.ALLOWED_ATTRIBUTES`` :arg list allowed_protocols: allowed list of protocols for links; defaults to ``bleach.sanitizer.ALLOWED_PROTOCOLS`` :arg attr_val_is_uri: set of attributes that have URI values :arg svg_attr_val_allows_ref: set of SVG attributes that can have references :arg svg_allow_local_href: set of SVG elements that can have local hrefs :arg bool strip_disallowed_tags: whether or not to strip disallowed tags :arg bool strip_html_comments: whether or not to strip HTML comments :arg CSSSanitizer css_sanitizer: instance with a "sanitize_css" method for sanitizing style attribute values and style text; defaults to None N)rFilterrO frozensetrRrUrr attr_filterrSrTattr_val_is_urisvg_attr_val_allows_refr>svg_allow_local_href) rMrQrRr:rUrxryrzrSrTr>s r(rOzBleachSanitizerFilter.__init__ss` %%dF3%l3!*+$*$8!r'c#K|D]5}|j|}|st|tr |Ed{2|7y7 wrp)sanitize_tokenrErF)rMtoken_iteratortokenrets r(sanitize_streamz%BleachSanitizerFilter.sanitize_streamAsF# E%%e,C#t$  s/A> Ac#PKg}|D]h}|rF|ddk(r|j|dj|Dcgc]}|d c}dd}g}|n|ddk(r|j|e|jdj|Dcgc]}|d c}dd}|ycc}wcc}ww)z/Merge consecutive Characters tokens in a streamtype Charactersrdata)rrN)appendjoin)rMr}characters_bufferr~ char_token new_tokens r(merge_charactersz&BleachSanitizerFilter.merge_charactersMs# E =L0%,,U3 !#BSTJZ/T!!- !I )+%#Ov,.!((/K+ 0GGBSTJZ/TU  #UUs3B& B AB& B! B&c||j|jtjj |Srp)rrrru__iter__)rMs r(rzBleachSanitizerFilter.__iter__ns4$$  !5!5!>!>t!D E  r'c,|d}|dvr@|d|jvr|j|S|jry|j|S|dk(r/|js"t j |dddd  |d<|Sy|d k(r|j|S|S) aSanitize a token either by HTML-encoding or dropping. Unlike sanitizer.Filter, allowed_attributes can be a dict of {'tag': ['attribute', 'pairs'], 'tag': callable}. Here callable is a function with two arguments of attribute name and value. It should return true of false. Also gives the option to strip tags instead of encoding. :arg dict token: token to sanitize :returns: token or list of tokens r)StartTagEndTagEmptyTagnameNCommentrz"z')"')entitiesr)rR allow_tokenrSdisallowed_tokenrTrescapesanitize_characters)rMr~ token_types r(r|z$BleachSanitizerFilter.sanitize_tokenss 6] ; ;V} 1 11''..++,,U33 9 $++ - 4 4&M(,J!f   < '++E2 2Lr'c|jdd}|s|Stjt|}||d<d|vr|Sg}t j |D]}|s|j drmt j|}|V|dk(r|jdddn|jd|d |t|d zd}|r|jd|d|jd|d|S) aHandles Characters tokens Our overridden tokenizer doesn't do anything with entities. However, that means that the serializer will convert all ``&`` in Characters tokens to ``&``. Since we don't want that, we extract entities here and convert them to Entity tokens so the serializer will let them be. :arg token: the Characters token to work on :returns: a list of tokens rr&Nampr)rrEntity)rr) getINVISIBLE_CHARACTERS_REsubINVISIBLE_REPLACEMENT_CHARrnext_possible_entity startswith match_entityrlen)rMr~r new_tokenspartentity remainders r(rz)BleachSanitizerFilter.sanitize_characterss yy$L&**+EtLf  d?L "66t< DDs#&33D9%#))<*MN"))8V*LM!%S[1_%6 7I "))<*ST   |TB C5 D8r'ctj|}tjdd|}|j dd}|j } t j|}|jr|j|vr|Sy|jdr|Sd|vr|jdd|vr|Sd|vsd |vr|Sy#t$rYywxYw) zChecks a uri value to see if it's allowed :arg value: the uri value to sanitize :arg allowed_protocols: list of allowed protocols :returns: allowed value or None z[`\000-\040\177-\240\s]+ru�N#:rrr) rconvert_entitiesrerreplacelowerrurlparserqschemersplit)rMrlrUnormalized_uriparseds r(sanitize_uri_valuez(BleachSanitizerFilter.sanitize_uri_values'77> ;RP(//"=(--/  ((8F ==}} 11 &((- ~%"((-a04EE **g9J.J 5  sB<< CCcbd|vr)i}|djD] \}}|\}}|j|d||s#||jvr!|j||j}|P|}||j vr5t jddt|}|j}|s|}d|df|jvr0|dtjddffvrt jd |r|d k(r*|jr|jj|}nd }|||<||d<|S) z-Handles the case where we're allowing the tagrrNzurl\s*\(\s*[^#\s][^)]+?\) )Nrxlinkrz ^\s*[^#\s])Nr8r)itemsrwrxrrUryrrrr-rzr namespacessearchr> sanitize_css) rMr~attrsnamespaced_nameval namespacer new_valuenew_vals r(rz!BleachSanitizerFilter.allow_tokensh U?E(-f (;(;(=5 -$"1 4 ''f tSA#d&:&:: $ 7 7T=S=S TI ( #C#d&B&BB ff%A3QT VG%mmoG" &%-(D,E,EE&&&11':FC+99]C8$#o5))"00==cB!*-o&k5 -n"E&M r'c|d}|dk(r d|dd|d<n|dr|dvsJg}|djD]W\\}}}|r|s||}}||tjvr|}ntj|d|}|jd |d |d Yd |dd j |d|d<n d |dd|d<|j dr|dddd|d<d|d<|d=|S)Nrrzr)rrrrz="rr)rrprefixesrrr)rMr~rrnsrvrs r(rz&BleachSanitizerFilter.disallowed_tokenZsE6]  ! vq1E&M 6]!99 99E!&v!4!4!6 : TAd#RB:=+A+A!A&*O)6)?)?)C(DAdV&LO  q 1A3a89! :" f rwwu~.>a@E&M f a0E&M 99] #$V}Sb12"5E&M$f &M r')r#r$r%rbrcrdrerrxryrzrOrrrr|rrrrr&r'r(rZrZsj"%+%55 - E E*??# <9| B )V;z8tCJ$r'rZ) itertoolsrrrKxml.sax.saxutilsrbleachrrrvrcrdrerrangechrINVISIBLE_CHARACTERScompileUNICODErr UserWarningr"r*rrSanitizerFilterrZ)cs0r(rs %   ( '  Iy9:ww5A;b" uR}EFSVF %"**S+?%?#%ErzzR! K U0U0p(LVBM99BeGs'C