{ "info": { "author": "Sami Turcotte", "author_email": "samiturcotte@gmail.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 4 - Beta", "Intended Audience :: Education", "License :: OSI Approved :: MIT License", "Natural Language :: English", "Operating System :: OS Independent", "Programming Language :: Python", "Programming Language :: Python :: 3", "Topic :: Software Development :: Libraries :: Python Modules", "Topic :: Text Processing :: Filters", "Topic :: Text Processing :: Markup :: HTML" ], "description": "# mdx_bleach\n\n**mdx_bleach** is a [Python-Markdown](https://pythonhosted.org/Markdown/)\nextension that sanitizes the output of untrusted Markdown documents based on a\nwhitelist. The extension is based on [Bleach](http://bleach.readthedocs.org/en/latest/),\na robust whitelist-based HTML sanitizer.\n\nBy design, all HTML markup is allowed in Markdown documents. Unless written\ninside a code block, raw HTML is not escaped and is therefore rendered by the\nweb browsers. While this is a nice authoring feature, it also exposes some XSS\nvulnerabilities. That becomes a problem when the source of a Markdown document\nis untrusted.\n\n**mdx_bleach** intends to provide a safer and more flexible alternative to Python-Markdown's\n[deprecated safe mode](https://pythonhosted.org/Markdown/reference.html#safe_mode).\n\n## Installation\n\n pip install mdx_bleach\n\n\n## Basic Usage\n\n```python\n>>> import markdown\n>>> from mdx_bleach.extension import BleachExtension\n>>> bleach = BleachExtension()\n>>> md = markdown.Markdown(extensions=[bleach])\n>>> md.convert('is not allowed')\nu'

<span>is not allowed</span>

'\n```\n\nBecause the ```` tag isn't allowed by default, **mdx_bleach** escapes it.\nThe default whitelists can be found in ``mdx_bleach.whitelist``.\n\n\n## Configuration\n\nTo configure **mdx_bleach**, pass the following keyword arguments to ``BleachExtension``:\n\n* ``tags`` Tag Whitelist\n* ``attributes`` Attribute Whitelist\n* ``styles`` Styles Whitelist\n* ``protocols`` Protocols Whitelist\n* ``strip`` Stripping Markup\n* ``strip_comments`` Stripping Comments\n\nThe following example reflects the default configuration:\n\n```python\nfrom mdx_bleach.whitelist import ALLOWED_TAGS, ALLOWED_ATTRIBUTES, ALLOWED_STYLES, ALLOWED_PROTOCOLS\nbleach = BleachExtension(tags=ALLOWED_TAGS, attributes=ALLOWED_ATTRIBUTES,\n styles=ALLOWED_STYLES, protocols=ALLOWED_PROTOCOLS, strip=False, strip_comments=True)\nmd = markdown.Markdown(extensions=[bleach])\n```\n\n\n### Tag Whitelist\n\nThe ``tags`` kwarg is a whitelist of allowed HTML tags. It should be a list,\ntuple, or other iterable. Any other HTML tags will be escaped or stripped from\nthe text. This applies to the HTML output that Markdown produces.\n\nSince Markdown commonly generates HTML elements like ``p``, ``a``, ``img``, etc.\nit is recommended to allow no less than the default tag whitelist found in\n``mdx_bleach.whitelist.ALLOWED_TAGS``.\n\nFor example:\n\n```python\n>>> from mdx_bleach.whitelist import ALLOWED_TAGS\n>>> bleach = BleachExtension(tags=ALLOWED_TAGS + ['small'])\n>>> md = markdown.Markdown(extensions=[bleach])\n>>> md.convert('is allowed')\nu'

is allowed

'\n```\n\nThis will allow authored ``small`` tags and any tag from the default whitelist.\nNote that if a third party extension that can generate more specific tags is\ninstalled, you might want to whitelist those additional tags as well.\n\n\n### Attribute Whitelist\n\nThe ``attributes`` kwarg is a whitelist of attributes. It can be a list, in\nwhich case the attributes are allowed for any tag, or a dictionary, in which\ncase the keys are tag names (or a wildcard: ``*`` for all tags) and the values\nare lists of allowed attributes.\n\nThe default value is a conservative dictionary found in ``mdx_bleach.whitelist.ALLOWED_ATTRIBUTES``.\nIf you override the ``attributes`` kwarg and still want to support images and\nlinks, make sure to allow the ``href`` and ``title`` attributes in ```` tags,\nas well as the ``src``, ``title`` and ``alt`` attributes in ```` tags.\n\nFor example:\n\n```python\nattrs = {\n '*': ['class'],\n 'a': ['href', 'title', 'rel'],\n 'img': ['src', 'title', 'alt'],\n}\nbleach = BleachExtension(attributes=attrs)\n```\n\nIn this case, the ``class`` attribute is allowed on any allowed element (from\nthe ``tags`` argument), ```` tags are allowed to have ``href``, ``title`` and\n``rel`` attributes, and so on.\n\nYou can also use a callable (instead of a list). If the callable returns True,\nthe attribute is allowed. Otherwise, it is stripped.\n\nFor example:\n\n```python\ndef filter_src(name, value):\n if name in ('alt', 'title', 'height', 'width'):\n return True\n if name == 'src':\n p = urlparse(value)\n return (not p.netloc) or p.netloc == 'mydomain.com'\n return False\n```\n\n\n### Styles Whitelist\n\nIf you allow the ``style`` attribute, you will also need to whitelist styles\nauthors are allowed to set, for example ``color`` and ``background-color``. The\ndefault value is an empty list.\n\nFor example, to allow authors to set the color and font-weight of ``span`` elements:\n\n```python\ntags = ALLOWED_TAGS + ['span']\nattrs = ALLOWED_ATTRIBUTES.copy()\nattrs['span'] = ['style']\nstyles = ['color', 'font-weight']\nbleach = BleachExtension(tags=tags, attributes=attrs, styles=styles)\n```\n\n### Protocol Whitelist\n\nIf you allow tags that have attributes containing a URI value\n(like the href attribute of an anchor tag,) you may want to adapt\nthe accepted protocols. The default list only allows http, https and mailto.\n\nFor example, this sets allowed protocols to http, https and smb:\n\n```python\nprotocols = ['http', 'https', 'smb']\nbleach = BleachExtension(protocols=protocols)\n```\n\nThis adds smb to the bleach-specified set of allowed protocols:\n\n```python\nbleach = BleachExtension(protocols=ALLOWED_PROTOCOLS + ['smb'])\n```\n\n### Stripping Markup\n\nBy default, Bleach *escapes* disallowed or invalid markup. For example:\n\n```python\n>>> md = markdown.Markdown(extensions=[BleachExtension()])\n>>> md.convert('is not allowed')\nu'

<span>is not allowed</span>'\n```\n\nIf you would rather Bleach stripped this markup entirely, you can pass\n``strip=True``:\n\n```python\n>>> md = markdown.Markdown(extensions=[BleachExtension(strip=True)])\n>>> md.convert('is not allowed')\nu'

is not allowed

'\n```\n\n\n### Stripping Comments\n\nBy default, Bleach will strip out HTML comments. To disable this behavior, set\n``strip_comments=False``:\n\n```python\n>>> html = 'my html'\n\n>>> md = markdown.Markdown(extensions=[BleachExtension()])\n>>> md.convert(html)\nu'

my html

'\n\n>>> md = markdown.Markdown(extensions=[BleachExtension(strip_comments=False)])\n>>> md.convert(html)\nu'

my html

'\n```\n\n\n## Links\n\n* [Source](https://github.com/Wenzil/mdx_bleach)\n* [Bleach](http://bleach.readthedocs.org/en/latest/)\n* [Markdown](http://daringfireball.net/projects/markdown/)\n* [Python-Markdown](https://pythonhosted.org/Markdown/)", "description_content_type": "", "docs_url": null, "download_url": "https://github.com/Wenzil/mdx_bleach/archive/0.1.4.tar.gz", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/Wenzil/mdx_bleach", "keywords": "mdx,bleach,markdown,extension,sanitize,html", "license": "MIT", "maintainer": "", "maintainer_email": "", "name": "mdx_bleach", "package_url": "https://pypi.org/project/mdx_bleach/", "platform": "", "project_url": "https://pypi.org/project/mdx_bleach/", "project_urls": { "Download": "https://github.com/Wenzil/mdx_bleach/archive/0.1.4.tar.gz", "Homepage": "https://github.com/Wenzil/mdx_bleach" }, "release_url": "https://pypi.org/project/mdx_bleach/0.1.4/", "requires_dist": null, "requires_python": "", "summary": "Python-Markdown extension to sanitize the output of untrusted Markdown documents.", "version": "0.1.4" }, "last_serial": 3881963, "releases": { "0.1.0": [ { "comment_text": "", "digests": { "md5": "58d888520a7c7b2b0ef1c2a641cc8a51", "sha256": "9aab63f86c644eacbf235597b0d3535f3fcf4ffc117e7971ff145f46e95af65b" }, "downloads": -1, "filename": "mdx_bleach-0.1.0.win32.exe", "has_sig": false, "md5_digest": "58d888520a7c7b2b0ef1c2a641cc8a51", "packagetype": "bdist_wininst", "python_version": "any", "requires_python": null, "size": 208896, "upload_time": "2015-04-16T05:55:24", "url": "https://files.pythonhosted.org/packages/8a/d0/e23f666b3f8f85e295abb4230e977e54c08d6013bcc6ad118169eeedd15c/mdx_bleach-0.1.0.win32.exe" }, { "comment_text": "", "digests": { "md5": "4261d6dfd77da1115806122b6ed28ae7", "sha256": "e051a0b268101aace1cfa2427d593a8a1d1eae35168c9b25404ae86472f480e2" }, "downloads": -1, "filename": "mdx_bleach-0.1.0.zip", "has_sig": false, "md5_digest": "4261d6dfd77da1115806122b6ed28ae7", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 13225, "upload_time": "2015-04-16T05:55:21", "url": "https://files.pythonhosted.org/packages/91/b3/9b982d5aac1accb1a91253b557c3f9f70bcd1689b0f0bd4679968f55d9bc/mdx_bleach-0.1.0.zip" } ], "0.1.1": [ { "comment_text": "", "digests": { "md5": "ebf1cfb13771e1919e7fe7ff14e1901f", "sha256": "337362256710ed207e0b7dbf3d32ad921dfbb4b4b940bfdf141103b73a51525c" }, "downloads": -1, "filename": "mdx_bleach-0.1.1.zip", "has_sig": false, "md5_digest": "ebf1cfb13771e1919e7fe7ff14e1901f", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 10325, "upload_time": "2017-01-23T01:29:57", "url": "https://files.pythonhosted.org/packages/b0/5f/5538d8ff700dbc35ae3b2b9930658059681c6af06c17b8a8083f27109644/mdx_bleach-0.1.1.zip" } ], "0.1.2": [ { "comment_text": "", "digests": { "md5": "750597a1108d474fe7a1c6725d610906", "sha256": "cd1c59b9dbc2dcb8f86d4f49b939359b2d7e7b6c490d0bf15048210b28085be8" }, "downloads": -1, "filename": "mdx_bleach-0.1.2.zip", "has_sig": false, "md5_digest": "750597a1108d474fe7a1c6725d610906", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 10334, "upload_time": "2017-01-31T04:54:40", "url": "https://files.pythonhosted.org/packages/2b/40/21b5dd4a0b2ab868973f1f378fc1b358a38fcd8a0de7cb61696a60c2e23e/mdx_bleach-0.1.2.zip" } ], "0.1.3": [ { "comment_text": "", "digests": { "md5": "d5445a71f4c3c88376e6ad6847581942", "sha256": "0f79400638163f8c45814be53e61c3383e654922e5b58e926acf25ed3f0c646c" }, "downloads": -1, "filename": "mdx_bleach-0.1.3.tar.gz", "has_sig": false, "md5_digest": "d5445a71f4c3c88376e6ad6847581942", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6601, "upload_time": "2018-05-19T06:43:50", "url": "https://files.pythonhosted.org/packages/c1/a7/3c501a0c29cd15146208c9df89e4bcd95ea10d58f092c8f511196626fdc0/mdx_bleach-0.1.3.tar.gz" } ], "0.1.4": [ { "comment_text": "", "digests": { "md5": "bae64575f44b0627396e2f2718a9a057", "sha256": "125d148dfaddea2f0cc542ad59064309469fd4ba52db7714365174af23155a00" }, "downloads": -1, "filename": "mdx_bleach-0.1.4.tar.gz", "has_sig": false, "md5_digest": "bae64575f44b0627396e2f2718a9a057", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6588, "upload_time": "2018-05-21T02:59:09", "url": "https://files.pythonhosted.org/packages/bd/ae/600d7868968003910700c398c9491b6cf6330ed25a53e453742263dbb2ec/mdx_bleach-0.1.4.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "bae64575f44b0627396e2f2718a9a057", "sha256": "125d148dfaddea2f0cc542ad59064309469fd4ba52db7714365174af23155a00" }, "downloads": -1, "filename": "mdx_bleach-0.1.4.tar.gz", "has_sig": false, "md5_digest": "bae64575f44b0627396e2f2718a9a057", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6588, "upload_time": "2018-05-21T02:59:09", "url": "https://files.pythonhosted.org/packages/bd/ae/600d7868968003910700c398c9491b6cf6330ed25a53e453742263dbb2ec/mdx_bleach-0.1.4.tar.gz" } ] }