]jEQ ddlmZddlZddlZddlmZddlmZddlmZgdZ ddgdgdgd Z gd Z d jee dd e d de ddDcgc] }e| c}Zej dezdzej"ZdZGddZdZGddej,Zycc}w))chainN)unescape) html5lib_shim) parse_shim) aabbracronymb blockquotecodeemiliolstrongulhreftitle)rrr )httphttpsmailto  []?c,eZdZdZeeeddddfdZdZy)CleaneraCleaner for cleaning HTML fragments of malicious content This cleaner is a security-focused function whose sole purpose is to remove malicious content from a string such that it can be displayed as content in a web page. To use:: from bleach.sanitizer import Cleaner cleaner = Cleaner() for text in all_the_yucky_things: sanitized = cleaner.clean(text) .. Note:: This cleaner is not designed to use to transform content to be used in non-web-page contexts. .. Warning:: This cleaner is not thread-safe--the html parser has internal state. Create a separate cleaner per thread! FTNcF||_||_||_||_||_|xsg|_||_tj|j|jdd|_ tjd|_ tjdddddd|_ y)a<Initializes a Cleaner :arg list tags: allowed list of tags; defaults to ``bleach.sanitizer.ALLOWED_TAGS`` :arg dict attributes: allowed attributes; can be a callable, list or dict; defaults to ``bleach.sanitizer.ALLOWED_ATTRIBUTES`` :arg list protocols: allowed list of protocols for links; defaults to ``bleach.sanitizer.ALLOWED_PROTOCOLS`` :arg bool strip: whether or not to strip disallowed elements :arg bool strip_comments: whether or not to strip HTML comments :arg list filters: list of html5lib Filter classes to pass streamed content through .. seealso:: http://html5lib.readthedocs.io/en/latest/movingparts.html#filters .. Warning:: Using filters changes the output of ``bleach.Cleaner.clean``. Make sure the way the filters change the output are secure. :arg CSSSanitizer css_sanitizer: instance with a "sanitize_css" method for sanitizing style attribute values and style text; defaults to None F)tagsstripconsume_entitiesnamespaceHTMLElementsetreealwaysT)quote_attr_valuesomit_optional_tagsescape_lt_in_attrsresolve_entitiessanitizealphabetical_attributesN)r$ attributes protocolsr%strip_commentsfilters css_sanitizerrBleachHTMLParserparser getTreeWalkerwalkerBleachHTMLSerializer serializer)selfr$r0r1r%r2r3r4s :/root/env/lib/python3.12/site-packages/bleach/sanitizer.py__init__zCleaner.__init__PsL $" ,}" *#44**""'   $11': '<<&$##$)  c t|ts1dj|jj}t ||sy|j j|}t|j||j|j|j|j|j|j}|j D] }||} |j"j%|S)zCleans text and returns sanitized result as unicode :arg str text: text to be cleaned :returns: sanitized text as unicode :raises TypeError: if ``text`` is not a text type z9argument cannot be of '{name}' type, must be of text type)namer)sourcer0strip_disallowed_elementsstrip_html_commentsr4allowed_elementsallowed_protocols)rA) isinstancestrformat __class____name__ TypeErrorr6 parseFragmentBleachSanitizerFilterr8r0r%r2r4r$r1r3r:render)r;textmessagedomfiltered filter_classs r<cleanz Cleaner.cleans$$KRR00S  G$ $kk''-(;;s#&*jj $ 3 3,,!YY"nn  !LL 5L#84H 5%%h//r>) rJ __module__ __qualname____doc__ ALLOWED_TAGSALLOWED_ATTRIBUTESALLOWED_PROTOCOLSr=rTr>r<r"r"3s*<%#@ D&0r>r"ctrSttrfd}|Sttrfd}|St d)a0Generates attribute filter function for the given attributes value The attributes value can take one of several shapes. This returns a filter function appropriate to the attributes value. One nice thing about this is that there's less if/then shenanigans in the ``allow_token`` method. c|vr|}t|r ||||S||vrydvrd}t|r ||||S||vSy)NT*F)callable)tagattrvalueattr_valr0s r< _attr_filterz.attribute_filter_factory.._attr_filterslj %c?H%#Cu558#j %c?H%#Cu55x''r>c |vSNr[)r`rarbr0s r<rdz.attribute_filter_factory.._attr_filters:% %r>z3attributes needs to be a callable, a list or a dict)r_rFdictlist ValueError)r0rds` r<attribute_filter_factoryrjsM *d# $*d# & J KKr>c`eZdZdZeeedddffd ZdZdZ dZ d Z d Z d Z d Zd ZxZS)rMzmhtml5lib Filter that sanitizes text This filter can be used anywhere html5lib filters can be used. FTNc t||_||_||_||_t j ddtdt |$|f||d|S)agCreates a BleachSanitizerFilter instance :arg source: html5lib TreeWalker stream as an html5lib TreeWalker :arg list allowed_elements: allowed list of tags; defaults to ``bleach.sanitizer.ALLOWED_TAGS`` :arg dict attributes: allowed attributes; can be a callable, list or dict; defaults to ``bleach.sanitizer.ALLOWED_ATTRIBUTES`` :arg list allowed_protocols: allowed list of protocols for links; defaults to ``bleach.sanitizer.ALLOWED_PROTOCOLS`` :arg bool strip_disallowed_elements: whether or not to strip disallowed elements :arg bool strip_html_comments: whether or not to strip HTML comments :arg CSSSanitizer css_sanitizer: instance with a "sanitize_css" method for sanitizing style attribute values and style text; defaults to None ignorez"html5lib's sanitizer is deprecatedzbleach._vendor.html5lib)rPcategorymodule)rDrE) rj attr_filterrBrCr4warningsfilterwarningsDeprecationWarningsuperr=) r;rArDr0rErBrCr4kwargsrIs r<r=zBleachSanitizerFilter.__init__ssB4J?)B *  8',  w  -/    r>c#K|D]5}|j|}|st|tr |Ed{2|7y7 wrf)sanitize_tokenrFrh)r;token_iteratortokenrets r<sanitize_streamz%BleachSanitizerFilter.sanitize_stream!sF# E%%e,C#t$  s/A> Ac#PKg}|D]h}|rF|ddk(r|j|dj|Dcgc]}|d c}dd}g}|n|ddk(r|j|e|jdj|Dcgc]}|d c}dd}|ycc}wcc}ww)z/Merge consecutive Characters tokens in a streamtype Charactersrdata)rr}N)appendjoin)r;rxcharacters_bufferry char_token new_tokens r<merge_charactersz&BleachSanitizerFilter.merge_characters-s# E =L0%,,U3 !#BSTJZ/T!!- !I )+%#Ov,.!((/K+ 0GGBSTJZ/TU  #UUs3B& B AB& B! B&c||j|jtjj |Srf)rr{rFilter__iter__)r;s r<rzBleachSanitizerFilter.__iter__Ns4$$  !5!5!>!>t!D E  r>c,|d}|dvr@|d|jvr|j|S|jry|j|S|dk(r/|js"t j |dddd  |d<|Sy|d k(r|j|S|S) aSanitize a token either by HTML-encoding or dropping. Unlike sanitizer.Filter, allowed_attributes can be a dict of {'tag': ['attribute', 'pairs'], 'tag': callable}. Here callable is a function with two arguments of attribute name and value. It should return true of false. Also gives the option to strip tags instead of encoding. :arg dict token: token to sanitize :returns: token or list of tokens r})StartTagEndTagEmptyTagr@NCommentrz"z')"')entitiesr~)rD allow_tokenrBdisallowed_tokenrCrescapesanitize_characters)r;ry token_types r<rwz$BleachSanitizerFilter.sanitize_tokenSs 6] ; ;V} 5 55''..//,,U33 9 $++ - 4 4&M(,J!f   < '++E2 2Lr>c|jdd}|s|Stjt|}||d<d|vr|Sg}t j |D]}|s|j drmt j|}|V|dk(r|jdddn|jd|d |t|d zd}|r|jd|d|jd|d|S) aHandles Characters tokens Our overridden tokenizer doesn't do anything with entities. However, that means that the serializer will convert all ``&`` in Characters tokens to ``&``. Since we don't want that, we extract entities here and convert them to Entity tokens so the serializer will let them be. :arg token: the Characters token to work on :returns: a list of tokens rr&Nampr~)r}rEntity)r}r@) getINVISIBLE_CHARACTERS_REsubINVISIBLE_REPLACEMENT_CHARrnext_possible_entity startswith match_entityrlen)r;ryr new_tokenspartentity remainders r<rz)BleachSanitizerFilter.sanitize_characters~s yy$L&**+EtLf  d?L "66t< DDs#&33D9%#))<*MN"))8V*LM!%S[1_%6 7I "))<*ST   |TB C5 D8r>ctj|}tjdd|}|j dd}|j } t j|}|jr|j|vr|Sy|jdr|Sd|vr|jdd|vr|Sd|vsd |vr|Sy#t$rYywxYw) zChecks a uri value to see if it's allowed :arg value: the uri value to sanitize :arg allowed_protocols: list of allowed protocols :returns: allowed value or None z[`\000-\040\177-\240\s]+ru�N#:rrr) rconvert_entitiesrerreplacelowerrurlparserischemersplit)r;rbrEnormalized_uriparseds r<sanitize_uri_valuez(BleachSanitizerFilter.sanitize_uri_values'77> ;RP(//"=(--/  ((8F ==}} 11 &((- ~%"((-a04EE **g9J.J 5  sB<< CCcbd|vr)i}|djD] \}}|\}}|j|d||s#||jvr!|j||j}|P|}||j vr5t jddt|}|j}|s|}d|df|jvr0|dtjddffvrt jd |r|d k(r*|jr|jj|}nd }|||<||d<|S) z-Handles the case where we're allowing the tagrr@Nzurl\s*\(\s*[^#\s][^)]+?\) )Nrxlinkrz ^\s*[^#\s])Nstyler)itemsrpattr_val_is_urirrEsvg_attr_val_allows_refrrrr%svg_allow_local_hrefr namespacessearchr4 sanitize_css) r;ryattrsnamespaced_nameval namespacer@ new_valuenew_vals r<rz!BleachSanitizerFilter.allow_tokensh U?E(-f (;(;(=5 -$"1 4 ''f tSA#d&:&:: $ 7 7T=S=S TI ( #C#d&B&BB ff%A3QT VG%mmoG" &%-(D,E,EE&&&11':FC+99]C8$#o5))"00==cB!*-o&k5 -n"E&M r>c|d}|dk(r d|dz|d<n|dr|dvsJg}|djD]b\\}}}|r|s||}}||tjvr|}n#djtj||}|j d|d |d dd j|dd j ||d<n d |dz|d<|j dr|ddddz|d<d|d<|d=|S)Nr}rzr@r)rrz{}:{}rz="rz<{}{}>rz<%s> selfClosingz/>r~)rrprefixesrHrrr)r;ryrrnsr@vrs r<rz&BleachSanitizerFilter.disallowed_token:s46]  !#eFm3E&M 6]!99 99E!&v!4!4!6  TAd#RB:=+A+A!A&*O&-nn]5K5KB5OQU&VO (   .%OOE&M2775>JE&M#U6]2E&M 99] #!&M#2.5E&M$f &M r>)rJrUrVrWrXrYrZr=r{rrrwrrrr __classcell__)rIs@r<rMrMsP&%+"' 2 h B )V;z8tCJ*r>rM) itertoolsrrrqxml.sax.saxutilsrbleachrrrXrYrZrrangechrINVISIBLE_CHARACTERScompileUNICODErrr"rjSanitizerFilterrM)cs0r<rs %   $ '  Iy0ww5A;b" uR}EFSVF %"**S+?%?#%ErzzR!E0E0P(LV~M99~}GsB=