diff options
| author | Waylan Limberg <waylan.limberg@icloud.com> | 2015-03-14 20:39:46 -0400 |
|---|---|---|
| committer | Waylan Limberg <waylan.limberg@icloud.com> | 2018-01-11 19:04:49 -0500 |
| commit | 7f63b20b819b83afef0ddadc2e210ddce32a2be3 (patch) | |
| tree | c92e6bbd942e65588466c5800a32545fc1d57948 | |
| parent | 6366e5ae8f0ae19c033a2c24c217001c1512292b (diff) | |
| download | markdown-7f63b20b819b83afef0ddadc2e210ddce32a2be3.tar.gz markdown-7f63b20b819b83afef0ddadc2e210ddce32a2be3.tar.bz2 markdown-7f63b20b819b83afef0ddadc2e210ddce32a2be3.zip | |
Removed deprecated safe_mode.
32 files changed, 29 insertions, 741 deletions
diff --git a/docs/reference.md b/docs/reference.md index 7e5a30a..55fb501 100644 --- a/docs/reference.md +++ b/docs/reference.md @@ -88,7 +88,7 @@ __extensions__{: #extensions } If an extension name is provided as a string, the extension must be importable as a python module on your PYTHONPATH. Python's dot notation is - supported. Therefore, to import the 'extra' extension, one could do + required. Therefore, to import the 'extra' extension, one would do `extensions=['markdown.extensions.extra']` Additionally, a Class may be specified in the name. The class must be at the @@ -106,7 +106,7 @@ __extensions__{: #extensions } !!! note You should only need to specify the class name if more than one extension - is defined within the same module. The extensions that come with + is defined within the same module. The extensions that come with Python-Markdown do *not* need to have the class name specified. However, doing so will not effect the behavior of the parser. @@ -167,91 +167,13 @@ __output_format__{: #output_format }: `"html4"`) be used as the more general formats (`"xhtml"` or `"html"`) may change in the future if it makes sense at that time. -__safe_mode__{: #safe_mode }: - -: Disallow raw HTML. - - !!! warning - "`safe_mode`" is deprecated and should not be used. - - HTML sanitizers (like [Bleach]) provide a better solution for - dealing with markdown text submitted by untrusted users. - - :::python - import markdown - import bleach - html = bleach.clean(markdown.markdown(untrusted_text)) - - See the [release notes] for more info. - - The following values are accepted: - - `False` (Default): - - : Raw HTML is passed through unaltered. - - `replace`: - - : Replace all HTML blocks with the text assigned to - `html_replacement_text`. To maintain backward compatibility, setting - `safe_mode=True` will have the same effect as `safe_mode='replace'`. - - To replace raw HTML with something other than the default, do: - - :::python - md = markdown.Markdown( - safe_mode='replace', - html_replacement_text='--RAW HTML NOT ALLOWED--' - ) - - `remove`: - - : All raw HTML will be completely stripped from the text with - no warning to the author. - - `escape`: - - : All raw HTML will be escaped and included in the document. - - For example, the following source: - - :::md - Foo <b>bar</b>. - - Will result in the following HTML: - - :::html - <p>Foo <b>bar</b>.</p> - - !!! Note - "safe_mode" also alters the default value for the - [`enable_attributes`](#enable_attributes) option. - -[Bleach]: https://github.com/jsocol/bleach -[release notes]: change_log/release-2.6.md - -__html_replacement_text__{: #html_replacement_text }: - -: Text used when safe_mode is set to `replace`. Defaults to `[HTML_REMOVED]`. - - !!! warning - "`html_replacement_text`" is deprecated and should not be used. - See the [release notes] for more info. - __tab_length__{: #tab_length }: : Length of tabs in the source. Default: 4 __enable_attributes__{: #enable_attributes}: -: Enable the conversion of attributes. Defaults to `True`, unless - [`safe_mode`](#safe_mode) is enabled, in which case the default is `False`. - - !!! Note - `safe_mode` only overrides the default. If `enable_attributes` - is explicitly set, the explicit value is used regardless of `safe_mode`. - However, this could potentially allow an untrusted user to inject - JavaScript into your documents. +: Enable the conversion of attributes. Defaults to `True`. __smart_emphasis__{: #smart_emphasis }: diff --git a/markdown/__main__.py b/markdown/__main__.py index 8b2c916..c29687b 100644 --- a/markdown/__main__.py +++ b/markdown/__main__.py @@ -36,10 +36,6 @@ def parse_options(args=None, values=None): metavar="OUTPUT_FILE") parser.add_option("-e", "--encoding", dest="encoding", help="Encoding for input and output files.",) - parser.add_option("-s", "--safe", dest="safe", default=False, - metavar="SAFE_MODE", - help="Deprecated! 'replace', 'remove' or 'escape' HTML " - "tags in input") parser.add_option("-o", "--output_format", dest="output_format", default='xhtml1', metavar="OUTPUT_FORMAT", help="'xhtml1' (default), 'html4' or 'html5'.") @@ -102,10 +98,6 @@ def parse_options(args=None, values=None): 'lazy_ol': options.lazy_ol } - if options.safe: - # Avoid deprecation warning if user didn't set option - opts['safe_mode'] = options.safe - return opts, options.verbose diff --git a/markdown/core.py b/markdown/core.py index e92aad0..7d9d839 100644 --- a/markdown/core.py +++ b/markdown/core.py @@ -2,8 +2,8 @@ from __future__ import absolute_import from __future__ import unicode_literals import codecs import sys -import logging import warnings +import logging import importlib from . import util from .preprocessors import build_preprocessors @@ -65,10 +65,6 @@ class Markdown(object): Note that it is suggested that the more specific formats ("xhtml1" and "html4") be used as "xhtml" or "html" may change in the future if it makes sense at that time. - * safe_mode: Deprecated! Disallow raw html. One of "remove", "replace" - or "escape". - * html_replacement_text: Deprecated! Text used when safe_mode is set - to "replace". * tab_length: Length of tabs in the source. Default: 4 * enable_attributes: Enable the conversion of attributes. Default: True * smart_emphasis: Treat `_connected_words_` intelligently Default: True @@ -80,24 +76,6 @@ class Markdown(object): for option, default in self.option_defaults.items(): setattr(self, option, kwargs.get(option, default)) - self.safeMode = kwargs.get('safe_mode', False) - if self.safeMode and 'enable_attributes' not in kwargs: - # Disable attributes in safeMode when not explicitly set - self.enable_attributes = False - - if 'safe_mode' in kwargs: - warnings.warn('"safe_mode" is deprecated in Python-Markdown. ' - 'Use an HTML sanitizer (like ' - 'Bleach https://bleach.readthedocs.io/) ' - 'if you are parsing untrusted markdown text. ' - 'See the 2.6 release notes for more info', - DeprecationWarning) - - if 'html_replacement_text' in kwargs: - warnings.warn('The "html_replacement_text" keyword is ' - 'deprecated along with "safe_mode".', - DeprecationWarning) - self.ESCAPED_CHARS = ['\\', '`', '*', '_', '{', '}', '[', ']', '(', ')', '>', '#', '+', '-', '.', '!'] diff --git a/markdown/extensions/codehilite.py b/markdown/extensions/codehilite.py index ee42d57..9c91c37 100644 --- a/markdown/extensions/codehilite.py +++ b/markdown/extensions/codehilite.py @@ -215,8 +215,7 @@ class HiliteTreeprocessor(Treeprocessor): tab_length=self.markdown.tab_length, use_pygments=self.config['use_pygments'] ) - placeholder = self.markdown.htmlStash.store(code.hilite(), - safe=True) + placeholder = self.markdown.htmlStash.store(code.hilite()) # Clear codeblock in etree instance block.clear() # Change to p element which will later diff --git a/markdown/extensions/extra.py b/markdown/extensions/extra.py index 587ba64..f59e09e 100644 --- a/markdown/extensions/extra.py +++ b/markdown/extensions/extra.py @@ -58,15 +58,14 @@ class ExtraExtension(Extension): def extendMarkdown(self, md, md_globals): """ Register extension instances. """ md.registerExtensions(extensions, self.config) - if not md.safeMode: - # Turn on processing of markdown text within raw html - md.preprocessors['html_block'].markdown_in_raw = True - md.parser.blockprocessors.add('markdown_block', - MarkdownInHtmlProcessor(md.parser), - '_begin') - md.parser.blockprocessors.tag_counter = -1 - md.parser.blockprocessors.contain_span_tags = re.compile( - r'^(p|h[1-6]|li|dd|dt|td|th|legend|address)$', re.IGNORECASE) + # Turn on processing of markdown text within raw html + md.preprocessors['html_block'].markdown_in_raw = True + md.parser.blockprocessors.add('markdown_block', + MarkdownInHtmlProcessor(md.parser), + '_begin') + md.parser.blockprocessors.tag_counter = -1 + md.parser.blockprocessors.contain_span_tags = re.compile( + r'^(p|h[1-6]|li|dd|dt|td|th|legend|address)$', re.IGNORECASE) def makeExtension(*args, **kwargs): diff --git a/markdown/extensions/fenced_code.py b/markdown/extensions/fenced_code.py index 392c654..0975bb5 100644 --- a/markdown/extensions/fenced_code.py +++ b/markdown/extensions/fenced_code.py @@ -92,7 +92,7 @@ class FencedBlockPreprocessor(Preprocessor): code = self.CODE_WRAP % (lang, self._escape(m.group('code'))) - placeholder = self.markdown.htmlStash.store(code, safe=True) + placeholder = self.markdown.htmlStash.store(code) text = '%s\n%s\n%s' % (text[:m.start()], placeholder, text[m.end():]) diff --git a/markdown/extensions/smarty.py b/markdown/extensions/smarty.py index c2af7cd..ba5b6b6 100644 --- a/markdown/extensions/smarty.py +++ b/markdown/extensions/smarty.py @@ -163,7 +163,7 @@ class SubstituteTextPattern(HtmlPattern): if isinstance(part, int): result += m.group(part) else: - result += self.markdown.htmlStash.store(part, safe=True) + result += self.markdown.htmlStash.store(part) return result diff --git a/markdown/extensions/toc.py b/markdown/extensions/toc.py index b222cb4..f884f9b 100644 --- a/markdown/extensions/toc.py +++ b/markdown/extensions/toc.py @@ -49,11 +49,9 @@ def stashedHTML2text(text, md): def _html_sub(m): """ Substitute raw html with plain text. """ try: - raw, safe = md.htmlStash.rawHtmlBlocks[int(m.group(1))] + raw = md.htmlStash.rawHtmlBlocks[int(m.group(1))] except (IndexError, TypeError): # pragma: no cover return m.group(0) - if md.safeMode and not safe: # pragma: no cover - return '' # Strip out tags and entities - leaveing text return re.sub(r'(<[^>]+>)|(&[\#a-zA-Z0-9]+;)', '', raw) diff --git a/markdown/inlinepatterns.py b/markdown/inlinepatterns.py index bfdffb3..478b55f 100644 --- a/markdown/inlinepatterns.py +++ b/markdown/inlinepatterns.py @@ -47,10 +47,6 @@ from . import util from . import odict import re try: # pragma: no cover - from urllib.parse import urlparse, urlunparse -except ImportError: # pragma: no cover - from urlparse import urlparse, urlunparse -try: # pragma: no cover from html import entities except ImportError: # pragma: no cover import htmlentitydefs as entities @@ -73,8 +69,7 @@ def build_inlinepatterns(md_instance, **kwargs): inlinePatterns["autolink"] = AutolinkPattern(AUTOLINK_RE, md_instance) inlinePatterns["automail"] = AutomailPattern(AUTOMAIL_RE, md_instance) inlinePatterns["linebreak"] = SubstituteTagPattern(LINE_BREAK_RE, 'br') - if md_instance.safeMode != 'escape': - inlinePatterns["html"] = HtmlPattern(HTML_RE, md_instance) + inlinePatterns["html"] = HtmlPattern(HTML_RE, md_instance) inlinePatterns["entity"] = HtmlPattern(ENTITY_RE, md_instance) inlinePatterns["not_strong"] = SimpleTextPattern(NOT_STRONG_RE) inlinePatterns["em_strong"] = DoubleTagPattern(EM_STRONG_RE, 'strong,em') @@ -204,8 +199,6 @@ class Pattern(object): self.compiled_re = re.compile(r"^(.*?)%s(.*)$" % pattern, re.DOTALL | re.UNICODE) - # Api for Markdown to pass safe_mode into instance - self.safe_mode = False if markdown_instance: self.markdown = markdown_instance @@ -369,7 +362,7 @@ class LinkPattern(Pattern): if href: if href[0] == "<": href = href[1:-1] - el.set("href", self.sanitize_url(self.unescape(href.strip()))) + el.set("href", self.unescape(href.strip())) else: el.set("href", "") @@ -378,52 +371,6 @@ class LinkPattern(Pattern): el.set("title", title) return el - def sanitize_url(self, url): - """ - Sanitize a url against xss attacks in "safe_mode". - - Rather than specifically blacklisting `javascript:alert("XSS")` and all - its aliases (see <http://ha.ckers.org/xss.html>), we whitelist known - safe url formats. Most urls contain a network location, however some - are known not to (i.e.: mailto links). Script urls do not contain a - location. Additionally, for `javascript:...`, the scheme would be - "javascript" but some aliases will appear to `urlparse()` to have no - scheme. On top of that relative links (i.e.: "foo/bar.html") have no - scheme. Therefore we must check "path", "parameters", "query" and - "fragment" for any literal colons. We don't check "scheme" for colons - because it *should* never have any and "netloc" must allow the form: - `username:password@host:port`. - - """ - if not self.markdown.safeMode: - # Return immediately bipassing parsing. - return url - - try: - scheme, netloc, path, params, query, fragment = url = urlparse(url) - except ValueError: # pragma: no cover - # Bad url - so bad it couldn't be parsed. - return '' - - locless_schemes = ['', 'mailto', 'news'] - allowed_schemes = locless_schemes + ['http', 'https', 'ftp', 'ftps'] - if scheme not in allowed_schemes: - # Not a known (allowed) scheme. Not safe. - return '' - - if netloc == '' and scheme not in locless_schemes: # pragma: no cover - # This should not happen. Treat as suspect. - return '' - - for part in url[2:]: - if ":" in part: - # A colon in "path", "parameters", "query" - # or "fragment" is suspect. - return '' - - # Url passes all tests. Return url as-is. - return urlunparse(url) - class ImagePattern(LinkPattern): """ Return a img element from the given match. """ @@ -434,7 +381,7 @@ class ImagePattern(LinkPattern): src = src_parts[0] if src[0] == "<" and src[-1] == ">": src = src[1:-1] - el.set('src', self.sanitize_url(self.unescape(src))) + el.set('src', self.unescape(src)) else: el.set('src', "") if len(src_parts) > 1: @@ -476,7 +423,7 @@ class ReferencePattern(LinkPattern): def makeTag(self, href, title, text): el = util.etree.Element('a') - el.set('href', self.sanitize_url(href)) + el.set('href', href) if title: el.set('title', title) @@ -488,7 +435,7 @@ class ImageReferencePattern(ReferencePattern): """ Match to a stored reference and return img element. """ def makeTag(self, href, title, text): el = util.etree.Element("img") - el.set("src", self.sanitize_url(href)) + el.set("src", href) if title: el.set("title", title) diff --git a/markdown/postprocessors.py b/markdown/postprocessors.py index 7b9aa0b..f59e070 100644 --- a/markdown/postprocessors.py +++ b/markdown/postprocessors.py @@ -50,19 +50,11 @@ class RawHtmlPostprocessor(Postprocessor): """ Restore raw html to the document. """ def run(self, text): - """ Iterate over html stash and restore "safe" html. """ + """ Iterate over html stash and restore html. """ replacements = OrderedDict() for i in range(self.markdown.htmlStash.html_counter): - html, safe = self.markdown.htmlStash.rawHtmlBlocks[i] - if self.markdown.safeMode and not safe: - if str(self.markdown.safeMode).lower() == 'escape': - html = self.escape(html) - elif str(self.markdown.safeMode).lower() == 'remove': - html = '' - else: - html = self.markdown.html_replacement_text - if (self.isblocklevel(html) and - (safe or not self.markdown.safeMode)): + html = self.markdown.htmlStash.rawHtmlBlocks[i] + if self.isblocklevel(html): replacements["<p>%s</p>" % (self.markdown.htmlStash.get_placeholder(i))] = \ html + "\n" @@ -74,13 +66,6 @@ class RawHtmlPostprocessor(Postprocessor): return text - def escape(self, html): - """ Basic html escaping """ - html = html.replace('&', '&') - html = html.replace('<', '<') - html = html.replace('>', '>') - return html.replace('"', '"') - def isblocklevel(self, html): m = re.match(r'^\<\/?([^ >]+)', html) if m: diff --git a/markdown/preprocessors.py b/markdown/preprocessors.py index 1e99afa..d0af51a 100644 --- a/markdown/preprocessors.py +++ b/markdown/preprocessors.py @@ -17,8 +17,7 @@ def build_preprocessors(md_instance, **kwargs): """ Build the default set of preprocessors used by Markdown. """ preprocessors = odict.OrderedDict() preprocessors['normalize_whitespace'] = NormalizeWhitespace(md_instance) - if md_instance.safeMode != 'escape': - preprocessors["html_block"] = HtmlBlockPreprocessor(md_instance) + preprocessors["html_block"] = HtmlBlockPreprocessor(md_instance) preprocessors["reference"] = ReferencePreprocessor(md_instance) return preprocessors diff --git a/markdown/util.py b/markdown/util.py index 9e87019..8897195 100644 --- a/markdown/util.py +++ b/markdown/util.py @@ -141,7 +141,7 @@ class HtmlStash(object): self.tag_counter = 0 self.tag_data = [] # list of dictionaries in the order tags appear - def store(self, html, safe=False): + def store(self, html): """ Saves an HTML segment for later reinsertion. Returns a placeholder string that needs to be inserted into the @@ -150,12 +150,11 @@ class HtmlStash(object): Keyword arguments: * html: an html segment - * safe: label an html segment as safe for safemode Returns : a placeholder string """ - self.rawHtmlBlocks.append((html, safe)) + self.rawHtmlBlocks.append(html) placeholder = self.get_placeholder(self.html_counter) self.html_counter += 1 return placeholder diff --git a/tests/safe_mode/html_then_blockquote.html b/tests/safe_mode/html_then_blockquote.html deleted file mode 100644 index 62d24e4..0000000 --- a/tests/safe_mode/html_then_blockquote.html +++ /dev/null @@ -1,6 +0,0 @@ -<p>to:</p> -<p><td /><td style="text-align: center; white-space: nowrap;"><br /></p> -<blockquote> -<p>3) You don't need to alter all localization files. - Adding the new labels to the en_US files will do it.</p> -</blockquote>
\ No newline at end of file diff --git a/tests/safe_mode/html_then_blockquote.txt b/tests/safe_mode/html_then_blockquote.txt deleted file mode 100644 index 544df67..0000000 --- a/tests/safe_mode/html_then_blockquote.txt +++ /dev/null @@ -1,6 +0,0 @@ -to: - -<td /><td style="text-align: center; white-space: nowrap;"><br /> - -> 3) You don't need to alter all localization files. -> Adding the new labels to the en_US files will do it. diff --git a/tests/safe_mode/inline-html-advanced.html b/tests/safe_mode/inline-html-advanced.html deleted file mode 100644 index e9dd2ec..0000000 --- a/tests/safe_mode/inline-html-advanced.html +++ /dev/null @@ -1,11 +0,0 @@ -<p>Simple block on one line:</p> -<p><div>foo</div></p> -<p>And nested without indentation:</p> -<p><div> -<div> -<div> -foo -</div> -</div> -<div>bar</div> -</div></p>
\ No newline at end of file diff --git a/tests/safe_mode/inline-html-advanced.txt b/tests/safe_mode/inline-html-advanced.txt deleted file mode 100644 index 9d71ddc..0000000 --- a/tests/safe_mode/inline-html-advanced.txt +++ /dev/null @@ -1,14 +0,0 @@ -Simple block on one line: - -<div>foo</div> - -And nested without indentation: - -<div> -<div> -<div> -foo -</div> -</div> -<div>bar</div> -</div> diff --git a/tests/safe_mode/inline-html-comments.html b/tests/safe_mode/inline-html-comments.html deleted file mode 100644 index 0f1e417..0000000 --- a/tests/safe_mode/inline-html-comments.html +++ /dev/null @@ -1,8 +0,0 @@ -<p>Paragraph one.</p> -<p><!-- This is a simple comment --></p> -<p><!-- - This is another comment. ---></p> -<p>Paragraph two.</p> -<p><!-- one comment block -- -- with two comments --></p> -<p>The end.</p>
\ No newline at end of file diff --git a/tests/safe_mode/inline-html-comments.txt b/tests/safe_mode/inline-html-comments.txt deleted file mode 100644 index 41d830d..0000000 --- a/tests/safe_mode/inline-html-comments.txt +++ /dev/null @@ -1,13 +0,0 @@ -Paragraph one. - -<!-- This is a simple comment --> - -<!-- - This is another comment. ---> - -Paragraph two. - -<!-- one comment block -- -- with two comments --> - -The end. diff --git a/tests/safe_mode/inline-html-simple.html b/tests/safe_mode/inline-html-simple.html deleted file mode 100644 index 1e5df17..0000000 --- a/tests/safe_mode/inline-html-simple.html +++ /dev/null @@ -1,46 +0,0 @@ -<p>Here's a simple block:</p> -<p><div> - foo -</div></p> -<p>This should be a code block, though:</p> -<pre><code><div> - foo -</div> -</code></pre> -<p>As should this:</p> -<pre><code><div>foo</div> -</code></pre> -<p>Now, nested:</p> -<p><div> - <div> - <div> - foo - </div> - </div> -</div></p> -<p>This should just be an HTML comment:</p> -<p><!-- Comment --></p> -<p>Multiline:</p> -<p><!-- -Blah -Blah ---></p> -<p>Code block:</p> -<pre><code><!-- Comment --> -</code></pre> -<p>Just plain comment, with trailing spaces on the line:</p> -<p><!-- foo --> </p> -<p>Code:</p> -<pre><code><hr /> -</code></pre> -<p>Hr's:</p> -<p><hr></p> -<p><hr/></p> -<p><hr /></p> -<p><hr> </p> -<p><hr/> </p> -<p><hr /> </p> -<p><hr class="foo" id="bar" /></p> -<p><hr class="foo" id="bar"/></p> -<p><hr class="foo" id="bar" ></p> -<p><some <a href="http://example.com">weird</a> stuff></p>
\ No newline at end of file diff --git a/tests/safe_mode/inline-html-simple.txt b/tests/safe_mode/inline-html-simple.txt deleted file mode 100644 index 7210750..0000000 --- a/tests/safe_mode/inline-html-simple.txt +++ /dev/null @@ -1,70 +0,0 @@ -Here's a simple block: - -<div> - foo -</div> - -This should be a code block, though: - - <div> - foo - </div> - -As should this: - - <div>foo</div> - -Now, nested: - -<div> - <div> - <div> - foo - </div> - </div> -</div> - -This should just be an HTML comment: - -<!-- Comment --> - -Multiline: - -<!-- -Blah -Blah ---> - -Code block: - - <!-- Comment --> - -Just plain comment, with trailing spaces on the line: - -<!-- foo --> - -Code: - - <hr /> - -Hr's: - -<hr> - -<hr/> - -<hr /> - -<hr> - -<hr/> - -<hr /> - -<hr class="foo" id="bar" /> - -<hr class="foo" id="bar"/> - -<hr class="foo" id="bar" > - -<some [weird](http://example.com) stuff> diff --git a/tests/safe_mode/link-targets.html b/tests/safe_mode/link-targets.html deleted file mode 100644 index 768ae5b..0000000 --- a/tests/safe_mode/link-targets.html +++ /dev/null @@ -1,2 +0,0 @@ -<p><a href="">XSS</a> -See http://security.stackexchange.com/q/30330/1261 for details.</p>
\ No newline at end of file diff --git a/tests/safe_mode/link-targets.txt b/tests/safe_mode/link-targets.txt deleted file mode 100644 index 10eebda..0000000 --- a/tests/safe_mode/link-targets.txt +++ /dev/null @@ -1,3 +0,0 @@ -[XSS](javascript://%0Aalert%28'XSS'%29;) -See http://security.stackexchange.com/q/30330/1261 for details. - diff --git a/tests/safe_mode/remove.html b/tests/safe_mode/remove.html deleted file mode 100644 index d86b2b4..0000000 --- a/tests/safe_mode/remove.html +++ /dev/null @@ -1,35 +0,0 @@ -<p>Here's a simple block:</p> -<p></p> -<p>This should be a code block, though:</p> -<pre><code><div> - foo -</div> -</code></pre> -<p>As should this:</p> -<pre><code><div>foo</div> -</code></pre> -<p>Now, nested:</p> -<p></p> -<p>This should just be an HTML comment:</p> -<p></p> -<p>Multiline:</p> -<p></p> -<p>Code block:</p> -<pre><code><!-- Comment --> -</code></pre> -<p>Just plain comment, with trailing spaces on the line:</p> -<p></p> -<p>Code:</p> -<pre><code><hr /> -</code></pre> -<p>Hr's:</p> -<p></p> -<p></p> -<p></p> -<p></p> -<p></p> -<p></p> -<p></p> -<p></p> -<p></p> -<p></p>
\ No newline at end of file diff --git a/tests/safe_mode/remove.txt b/tests/safe_mode/remove.txt deleted file mode 100644 index 7210750..0000000 --- a/tests/safe_mode/remove.txt +++ /dev/null @@ -1,70 +0,0 @@ -Here's a simple block: - -<div> - foo -</div> - -This should be a code block, though: - - <div> - foo - </div> - -As should this: - - <div>foo</div> - -Now, nested: - -<div> - <div> - <div> - foo - </div> - </div> -</div> - -This should just be an HTML comment: - -<!-- Comment --> - -Multiline: - -<!-- -Blah -Blah ---> - -Code block: - - <!-- Comment --> - -Just plain comment, with trailing spaces on the line: - -<!-- foo --> - -Code: - - <hr /> - -Hr's: - -<hr> - -<hr/> - -<hr /> - -<hr> - -<hr/> - -<hr /> - -<hr class="foo" id="bar" /> - -<hr class="foo" id="bar"/> - -<hr class="foo" id="bar" > - -<some [weird](http://example.com) stuff> diff --git a/tests/safe_mode/replace.html b/tests/safe_mode/replace.html deleted file mode 100644 index cb6bfb5..0000000 --- a/tests/safe_mode/replace.html +++ /dev/null @@ -1,35 +0,0 @@ -<p>Here's a simple block:</p> -<p>[HTML_REMOVED]</p> -<p>This should be a code block, though:</p> -<pre><code><div> - foo -</div> -</code></pre> -<p>As should this:</p> -<pre><code><div>foo</div> -</code></pre> -<p>Now, nested:</p> -<p>[HTML_REMOVED]</p> -<p>This should just be an HTML comment:</p> -<p>[HTML_REMOVED]</p> -<p>Multiline:</p> -<p>[HTML_REMOVED]</p> -<p>Code block:</p> -<pre><code><!-- Comment --> -</code></pre> -<p>Just plain comment, with trailing spaces on the line:</p> -<p>[HTML_REMOVED]</p> -<p>Code:</p> -<pre><code><hr /> -</code></pre> -<p>Hr's:</p> -<p>[HTML_REMOVED]</p> -<p>[HTML_REMOVED]</p> -<p>[HTML_REMOVED]</p> -<p>[HTML_REMOVED]</p> -<p>[HTML_REMOVED]</p> -<p>[HTML_REMOVED]</p> -<p>[HTML_REMOVED]</p> -<p>[HTML_REMOVED]</p> -<p>[HTML_REMOVED]</p> -<p>[HTML_REMOVED]</p>
\ No newline at end of file diff --git a/tests/safe_mode/replace.txt b/tests/safe_mode/replace.txt deleted file mode 100644 index 7210750..0000000 --- a/tests/safe_mode/replace.txt +++ /dev/null @@ -1,70 +0,0 @@ -Here's a simple block: - -<div> - foo -</div> - -This should be a code block, though: - - <div> - foo - </div> - -As should this: - - <div>foo</div> - -Now, nested: - -<div> - <div> - <div> - foo - </div> - </div> -</div> - -This should just be an HTML comment: - -<!-- Comment --> - -Multiline: - -<!-- -Blah -Blah ---> - -Code block: - - <!-- Comment --> - -Just plain comment, with trailing spaces on the line: - -<!-- foo --> - -Code: - - <hr /> - -Hr's: - -<hr> - -<hr/> - -<hr /> - -<hr> - -<hr/> - -<hr /> - -<hr class="foo" id="bar" /> - -<hr class="foo" id="bar"/> - -<hr class="foo" id="bar" > - -<some [weird](http://example.com) stuff> diff --git a/tests/safe_mode/script_tags.html b/tests/safe_mode/script_tags.html deleted file mode 100644 index 6c1501b..0000000 --- a/tests/safe_mode/script_tags.html +++ /dev/null @@ -1,20 +0,0 @@ -<p>This should be stripped/escaped in safe_mode.</p> -<p><script> -alert("Hello world!") -</script></p> -<p>With blank lines.</p> -<p><script></p> -<p>alert("Hello world!")</p> -<p></script></p> -<p>Now with some weirdness</p> -<p><code><script <!-- -alert("Hello world!") -</script <></code> `</p> -<p>Try another way.</p> -<p><script <!-- -alert("Hello world!") -</script <></p> -<p>This time with blank lines.</p> -<p><script <!--</p> -<p>alert("Hello world!")</p> -<p></script <></p>
\ No newline at end of file diff --git a/tests/safe_mode/script_tags.txt b/tests/safe_mode/script_tags.txt deleted file mode 100644 index 44041c2..0000000 --- a/tests/safe_mode/script_tags.txt +++ /dev/null @@ -1,33 +0,0 @@ -This should be stripped/escaped in safe_mode. - -<script> -alert("Hello world!") -</script> - -With blank lines. - -<script> - -alert("Hello world!") - -</script> - -Now with some weirdness - -``<script <!-- -alert("Hello world!") -</script <>`` ` - -Try another way. - -<script <!-- -alert("Hello world!") -</script <> - -This time with blank lines. - -<script <!-- - -alert("Hello world!") - -</script <> diff --git a/tests/safe_mode/unsafe_urls.html b/tests/safe_mode/unsafe_urls.html deleted file mode 100644 index e617f35..0000000 --- a/tests/safe_mode/unsafe_urls.html +++ /dev/null @@ -1,20 +0,0 @@ -<p>These links should be unsafe and not allowed in safe_mode</p> -<p><a href="">link</a> -<a href="">link</a> -<a href="">link</a> -<a href="">link</a> -<a href="">link</a> -<a href="">link</a> -<a href="">link</a> -<a href="">link</a> -<a href="">link</a> -<a href="">link</a> -<a href="">link</a></p> -<p><img alt="img" src="" /> -<a href="">ref</a> -<img alt="imgref" src="" /></p> -<p>These should work regardless:</p> -<p><a href="relative/url.html">relative</a> -<a href="mailto:foo@bar.com">email</a> -<a href="news:some.news.group.com">news scheme</a> -<a href="http://example.com">http link</a></p>
\ No newline at end of file diff --git a/tests/safe_mode/unsafe_urls.txt b/tests/safe_mode/unsafe_urls.txt deleted file mode 100644 index 7bfd81d..0000000 --- a/tests/safe_mode/unsafe_urls.txt +++ /dev/null @@ -1,27 +0,0 @@ -These links should be unsafe and not allowed in safe_mode - -[link](javascript:alert%28'Hello%20world!'%29) -[link](vbscript:msgbox%28%22Hello%20world!%22%29) -[link](livescript:alert%28'Hello%20world!'%29) -[link](mocha:[code]) -[link](jAvAsCrIpT:alert%28'Hello%20world!'%29) -[link](ja vas cr ipt:alert%28'Hello%20world!'%29) -[link](ja vas cr ipt:alert%28'Hello%20world!'%29) -[link](ja vas cr ipt:alert%28'Hello%20world!'%29) -[link](ja%09 %0Avas cr
ipt:alert%28'Hello%20world!'%29) -[link](ja%20vas%20cr%20ipt:alert%28'Hello%20world!'%29) -[link](live%20script:alert%28'Hello%20world!'%29) - - -[ref][] -![imgref][] - -[ref]: javascript:alert%29'XSS'%29 -[imgref]: javascript:alert%29'XSS'%29 - -These should work regardless: - -[relative](relative/url.html) -[email](mailto:foo@bar.com) -[news scheme](news:some.news.group.com) -[http link](http://example.com) diff --git a/tests/test_apis.py b/tests/test_apis.py index d128948..6a1829b 100644 --- a/tests/test_apis.py +++ b/tests/test_apis.py @@ -133,7 +133,7 @@ class TestHtmlStash(unittest.TestCase): """ Test HtmlStash.store. """ self.assertEqual(self.placeholder, self.stash.get_placeholder(0)) self.assertEqual(self.stash.html_counter, 1) - self.assertEqual(self.stash.rawHtmlBlocks, [('foo', False)]) + self.assertEqual(self.stash.rawHtmlBlocks, ['foo']) def testStoreMore(self): """ Test HtmlStash.store with additional blocks. """ @@ -142,15 +142,7 @@ class TestHtmlStash(unittest.TestCase): self.assertEqual(self.stash.html_counter, 2) self.assertEqual( self.stash.rawHtmlBlocks, - [('foo', False), ('bar', False)] - ) - - def testSafeStore(self): - """ Test HtmlStash.store with 'safe' html. """ - self.stash.store('bar', True) - self.assertEqual( - self.stash.rawHtmlBlocks, - [('foo', False), ('bar', True)] + ['foo', 'bar'] ) def testReset(self): @@ -159,25 +151,6 @@ class TestHtmlStash(unittest.TestCase): self.assertEqual(self.stash.html_counter, 0) self.assertEqual(self.stash.rawHtmlBlocks, []) - def testUnsafeHtmlInSafeMode(self): - """ Test that unsafe HTML gets escaped in safe_mode. """ - output = markdown.markdown('foo', extensions=[self.build_extension()], safe_mode='escape') - self.assertEqual(output, '<p><script>print("evil")</script></p>') - - def build_extension(self): - """ Build an extention that addes unsafe html to Stash in same_mode. """ - class Unsafe(markdown.treeprocessors.Treeprocessor): - def run(self, root): - el = root.find('p') - el.text = self.markdown.htmlStash.store('<script>print("evil")</script>', safe=False) - return root - - class StoreUnsafeHtml(markdown.extensions.Extension): - def extendMarkdown(self, md, md_globals): - md.treeprocessors.add('unsafe', Unsafe(md), '_end') - - return StoreUnsafeHtml() - class TestOrderedDict(unittest.TestCase): """ Test OrderedDict storage class. """ @@ -655,11 +628,6 @@ class TestCliOptionParsing(unittest.TestCase): self.default_options['encoding'] = 'utf-8' self.assertEqual(options, self.default_options) - def testSafeModeOption(self): - options, logging_level = parse_options(['-s', 'escape']) - self.default_options['safe_mode'] = 'escape' - self.assertEqual(options, self.default_options) - def testOutputFormatOption(self): options, logging_level = parse_options(['-o', 'html5']) self.default_options['output_format'] = 'html5' diff --git a/tests/test_legacy.py b/tests/test_legacy.py index 17c4282..ddc54bb 100644 --- a/tests/test_legacy.py +++ b/tests/test_legacy.py @@ -31,15 +31,6 @@ class TestOptions(LegacyTestCase): no_smart_emphasis = Kwargs(smart_emphasis=False) -class TestSafeMode(LegacyTestCase): - location = os.path.join(parent_test_dir, 'safe_mode') - default_kwargs = Kwargs(safe_mode='escape') - - remove = Kwargs(safe_mode='remove') - - replace = Kwargs(safe_mode='replace') - - class TestPhp(LegacyTestCase): """ Notes on "excluded" tests: |