moviewyrm/bookwyrm/sanitize_html.py

""" html parser to clean up incoming text from unknown sources """
from html.parser import HTMLParser


class InputHtmlParser(HTMLParser):  # pylint: disable=abstract-method
    """Removes any html that isn't allowed_tagsed from a block"""

    def __init__(self):
        HTMLParser.__init__(self)
        self.allowed_tags = [
            "p",
            "blockquote",
            "br",
            "b",
            "i",
            "strong",
            "em",
            "pre",
            "a",
            "span",
            "ul",
            "ol",
            "li",
        ]
        self.allowed_attrs = ["href", "rel", "src", "alt"]
        self.tag_stack = []
        self.output = []
        # if the html appears invalid, we just won't allow any at all
        self.allow_html = True

    def handle_starttag(self, tag, attrs):
        """check if the tag is valid"""
        if self.allow_html and tag in self.allowed_tags:
            allowed_attrs = " ".join(
                f'{a}="{v}"' for a, v in attrs if a in self.allowed_attrs
            )
            reconstructed = f"<{tag}"
            if allowed_attrs:
                reconstructed += " " + allowed_attrs
            reconstructed += ">"
            self.output.append(("tag", reconstructed))
            self.tag_stack.append(tag)
        else:
            self.output.append(("data", ""))

    def handle_endtag(self, tag):
        """keep the close tag"""
        if not self.allow_html or tag not in self.allowed_tags:
            self.output.append(("data", ""))
            return

        if not self.tag_stack or self.tag_stack[-1] != tag:
            # the end tag doesn't match the most recent start tag
            self.allow_html = False
            self.output.append(("data", ""))
            return

        self.tag_stack = self.tag_stack[:-1]
        self.output.append(("tag", f"</{tag}>"))

    def handle_data(self, data):
        """extract the answer, if we're in an answer tag"""
        self.output.append(("data", data))

    def get_output(self):
        """convert the output from a list of tuples to a string"""
        if self.tag_stack:
            self.allow_html = False
        if not self.allow_html:
            return "".join(v for (k, v) in self.output if k == "data")
        return "".join(v for (k, v) in self.output)
Runs black 2021-03-08 16:49:10 +00:00			`""" html parser to clean up incoming text from unknown sources """`
Sanitizes html input 2020-02-15 05:45:13 +00:00			`from html.parser import HTMLParser`

Runs black 2021-03-08 16:49:10 +00:00
			`class InputHtmlParser(HTMLParser): # pylint: disable=abstract-method`
New version of black, new whitespace 2021-04-26 16:15:42 +00:00			`"""Removes any html that isn't allowed_tagsed from a block"""`
Sanitizes html input 2020-02-15 05:45:13 +00:00
			`def __init__(self):`
			`HTMLParser.__init__(self)`
Allow markdown in html fields 2020-12-20 02:54:56 +00:00			`self.allowed_tags = [`
Runs black 2021-03-08 16:49:10 +00:00			`"p",`
			`"blockquote",`
			`"br",`
			`"b",`
			`"i",`
			`"strong",`
			`"em",`
			`"pre",`
			`"a",`
			`"span",`
			`"ul",`
			`"ol",`
			`"li",`
Allow markdown in html fields 2020-12-20 02:54:56 +00:00			`]`
Python formatting 2022-02-03 21:19:56 +00:00			`self.allowed_attrs = ["href", "rel", "src", "alt"]`
Sanitizes html input 2020-02-15 05:45:13 +00:00			`self.tag_stack = []`
			`self.output = []`
			`# if the html appears invalid, we just won't allow any at all`
			`self.allow_html = True`

			`def handle_starttag(self, tag, attrs):`
New version of black, new whitespace 2021-04-26 16:15:42 +00:00			`"""check if the tag is valid"""`
Fixes linter issues 2020-09-21 17:25:26 +00:00			`if self.allow_html and tag in self.allowed_tags:`
Adds allowlist for html attrs 2022-02-03 21:15:06 +00:00			`allowed_attrs = " ".join(`
			`f'{a}="{v}"' for a, v in attrs if a in self.allowed_attrs`
			`)`
Python formatting 2022-02-03 21:19:56 +00:00			`reconstructed = f"<{tag}"`
Adds allowlist for html attrs 2022-02-03 21:15:06 +00:00			`if allowed_attrs:`
			`reconstructed += " " + allowed_attrs`
			`reconstructed += ">"`
			`self.output.append(("tag", reconstructed))`
Sanitizes html input 2020-02-15 05:45:13 +00:00			`self.tag_stack.append(tag)`
			`else:`
Runs black 2021-03-08 16:49:10 +00:00			`self.output.append(("data", ""))`
Sanitizes html input 2020-02-15 05:45:13 +00:00
			`def handle_endtag(self, tag):`
New version of black, new whitespace 2021-04-26 16:15:42 +00:00			`"""keep the close tag"""`
Fixes linter issues 2020-09-21 17:25:26 +00:00			`if not self.allow_html or tag not in self.allowed_tags:`
Runs black 2021-03-08 16:49:10 +00:00			`self.output.append(("data", ""))`
Sanitizes html input 2020-02-15 05:45:13 +00:00			`return`

			`if not self.tag_stack or self.tag_stack[-1] != tag:`
			`# the end tag doesn't match the most recent start tag`
			`self.allow_html = False`
Runs black 2021-03-08 16:49:10 +00:00			`self.output.append(("data", ""))`
Sanitizes html input 2020-02-15 05:45:13 +00:00			`return`

			`self.tag_stack = self.tag_stack[:-1]`
Updating string format syntax part 1 2021-09-18 04:39:18 +00:00			`self.output.append(("tag", f"</{tag}>"))`
Sanitizes html input 2020-02-15 05:45:13 +00:00
			`def handle_data(self, data):`
New version of black, new whitespace 2021-04-26 16:15:42 +00:00			`"""extract the answer, if we're in an answer tag"""`
Runs black 2021-03-08 16:49:10 +00:00			`self.output.append(("data", data))`
Sanitizes html input 2020-02-15 05:45:13 +00:00
			`def get_output(self):`
New version of black, new whitespace 2021-04-26 16:15:42 +00:00			`"""convert the output from a list of tuples to a string"""`
Tests and fixes whitespace bugs in sanitizer 2020-05-10 01:30:24 +00:00			`if self.tag_stack:`
			`self.allow_html = False`
Sanitizes html input 2020-02-15 05:45:13 +00:00			`if not self.allow_html:`
Runs black 2021-03-08 16:49:10 +00:00			`return "".join(v for (k, v) in self.output if k == "data")`
			`return "".join(v for (k, v) in self.output)`