foo
) +u'foo
' +""" +try: + import html5lib + from html5lib import sanitizer, treebuilders + parser = html5lib.HTMLParser( + tree=treebuilders.getTreeBuilder("beautifulsoup"), + tokenizer=sanitizer.HTMLSanitizer + ) + html5 = True +except ImportError: + html5 = False + +ANTI_JS_RE=re.compile('j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t\s*:', re.IGNORECASE) +#These tags and attrs are sufficently liberal to let microformats through... +#it ruthlessly culls all the rdf, dublin core metadata and so on. +valid_tags = dict.fromkeys('p i em strong b u a h1 h2 h3 pre abbr br img dd dt ol ul li span sub sup ins del blockquote table tr td th address cite'.split()) #div? +valid_attrs = dict.fromkeys('href src rel title'.split()) +valid_schemes = dict.fromkeys('http https'.split()) +elem_map = {'b' : 'strong', 'i': 'em'} +attrs_considered_links = dict.fromkeys("src href".split()) #should include +#courtesy http://developer.mozilla.org/en/docs/HTML:Block-level_elements +block_elements = dict.fromkeys(["p", "h1","h2", "h3", "h4", "h5", "h6", "ol", "ul", "pre", "address", "blockquote", "dl", "div", "fieldset", "form", "hr", "noscript", "table"]) + +#convenient default filter lists. +paranoid_filters = ["strip_comments", "strip_tags", "strip_attrs", + "strip_schemes", "rename_tags", "wrap_string", "strip_empty_tags", "strip_empty_tags", ] +complete_filters = ["strip_comments", "rename_tags", "strip_tags", "strip_attrs", + "strip_cdata", "strip_schemes", "wrap_string", "strip_empty_tags", "rebase_links", "reparse"] + +#set some conservative default string processings +default_settings = { + "filters" : paranoid_filters, + "block_elements" : block_elements, #xml or None for a more liberal version + "convert_entities" : "html", #xml or None for a more liberal version + "valid_tags" : valid_tags, + "valid_attrs" : valid_attrs, + "valid_schemes" : valid_schemes, + "attrs_considered_links" : attrs_considered_links, + "elem_map" : elem_map, + "wrapping_element" : "p", + "auto_clean" : False, + "original_url" : "", + "new_url" : "", + "html5" : html5 +} +#processes I'd like but haven't implemented +#"encode_xml_specials", "ensure complete xhtml doc", "ensure_xhtml_fragment_only" +# and some handling of permitted namespaces for tags. for RDF, say. maybe. + +XML_ENTITIES = { u"'" : u"'", + u'"' : u""", + u"&" : u"&", + u"<" : u"<", + u">" : u">" + } +LINE_EXTRACTION_RE = re.compile(".+", re.MULTILINE) +BR_EXTRACTION_RE = re.compile("", re.MULTILINE) + +class Stop: + """ + handy class that we use as a stop input for our state machine in lieu of falling + off the end of lists + """ + pass + + +class Cleaner(object): + r""" + powerful and slow arbitrary HTML sanitisation. can deal (i hope) with most XSS + vectors and layout-breaking badness. + Probably overkill for content from trusted sources; defaults are accordingly + set to be paranoid. + >>> bad_html = 'content>> good_html = u'
content
' + >>> c = Cleaner() + >>> c.string = bad_html + >>> c.clean() + >>> c.string == good_html + True + + Also supports shorthand syntax: + >>> c = Cleaner() + >>> c(bad_html) == c(good_html) + True + """ + + def __init__(self, string_or_soup="", *args, **kwargs): + self.settings=default_settings.copy() + self.settings.update(kwargs) + if args : + self.settings['filters'] = args + super(Cleaner, self).__init__(string_or_soup, *args, **kwargs) + self.string = string_or_soup + + def __call__(self, string = None, **kwargs): + """ + convenience method allowing one-step calling of an instance and returning + a cleaned string. + + TODO: make this method preserve internal state- perhaps by creating a new + instance. + + >>> s = 'input string' + >>> c1 = Cleaner(s, auto_clean=True) + >>> c2 = Cleaner("") + >>> c1.string == c2(s) + True + + """ + self.settings.update(kwargs) + if not string == None : + self.string = string + self.clean() + return self.string + + def _set_contents(self, string_or_soup): + if isinstance(string_or_soup, BeautifulSoup.BeautifulSoup) : + self._set_soup(string_or_soup) + else : + self._set_string(string_or_soup) + + def _set_string(self, html_fragment_string): + if self.settings['html5']: + s = parser.parse(html_fragment_string).body + else: + s = BeautifulSoup.BeautifulSoup( + html_fragment_string, + convertEntities=self.settings['convert_entities']) + self._set_soup(s) + + def _set_soup(self, soup): + """ + Does all the work of set_string, but bypasses a potential autoclean to avoid + loops upon internal string setting ops. + """ + self._soup = BeautifulSoup.BeautifulSoup( + 'text More text
') + u'text More text
' + """ + for comment in self.root.findAll( + text = lambda text: isinstance(text, BeautifulSoup.Comment)): + comment.extract() + + def strip_cdata(self): + for cdata in self.root.findAll( + text = lambda text: isinstance(text, BeautifulSoup.CData)): + cdata.extract() + + def strip_tags(self): + r""" + ill-considered tags break our layout. they must die. + >>> c = Cleaner("", "strip_tags", auto_clean=True) + >>> c.string = 'A
A B C
' + >>> c.string = 'AA
B
A
B
' + >>> c('AA
B
' + """ + block_elems = self.settings['block_elements'] + block_elems['br'] = None + block_elems['p'] = None + + while True : + next_br = self.root.find('br') + if not next_br: break + parent = next_br.parent + self.wrap_string('p', start_at=parent, block_elems = block_elems) + while True: + useless_br=parent.find('br', recursive=False) + if not useless_br: break + useless_br.extract() + if parent.name == 'p': + self.disgorge_elem(parent) + + def rename_tags(self): + """ + >>> c = Cleaner("", "rename_tags", elem_map={'i': 'em'}) + >>> c('AB') + u'AB' + """ + for tag in self.root.findAll(self.settings['elem_map']) : + tag.name = self.settings['elem_map'][tag.name] + + def wrap_string(self, wrapping_element = None, start_at=None, block_elems=None): + """ + takes an html fragment, which may or may not have a single containing element, + and guarantees what the tag name of the topmost elements are. + TODO: is there some simpler way than a state machine to do this simple thing? + >>> c = Cleaner("", "wrap_string") + >>> c('A B CD') + u'A B CD
' + >>> c('AB C
D') + u'A
B C
D
' + """ + if not start_at : start_at = self.root + if not block_elems : block_elems = self.settings['block_elements'] + e = (wrapping_element or self.settings['wrapping_element']) + paragraph_list = [] + children = [elem for elem in start_at.contents] + children.append(Stop()) + + last_state = 'block' + paragraph = BeautifulSoup.Tag(self._soup, e) + + for node in children : + if isinstance(node, Stop) : + state = 'end' + elif hasattr(node, 'name') and node.name in block_elems: + state = 'block' + else: + state = 'inline' + + if last_state == 'block' and state == 'inline': + #collate inline elements + paragraph = BeautifulSoup.Tag(self._soup, e) + + if state == 'inline' : + paragraph.append(node) + + if ((state <> 'inline') and last_state == 'inline') : + paragraph_list.append(paragraph) + + if state == 'block' : + paragraph_list.append(node) + + last_state = state + + #can't use append since it doesn't work on empty elements... + paragraph_list.reverse() + for paragraph in paragraph_list: + start_at.insert(0, paragraph) + + def strip_empty_tags(self): + """ + strip out all empty tags + TODO: depth-first search + >>> c = Cleaner("", "strip_empty_tags") + >>> c('A
B
') + u'A
B
' + >>> c('') + u'' + """ + tag = self.root + while True: + next_tag = tag.findNext(True) + if not next_tag: break + if next_tag.contents or next_tag.attrs: + tag = next_tag + continue + next_tag.extract() + + def rebase_links(self, original_url="", new_url ="") : + if not original_url : original_url = self.settings.get('original_url', '') + if not new_url : new_url = self.settings.get('new_url', '') + raise NotImplementedError + + # Because of its internal character set handling, + # the following will not work in Beautiful soup and is hopefully redundant. + # def encode_xml_specials(self, original_url="", new_url ="") : + # """ + # BeautifulSoup will let some dangerous xml entities hang around + # in the navigable strings. destroy all monsters. + # >>> c = Cleaner(auto_clean=True, encode_xml_specials=True) + # >>> c('<<<<<') + # u'<<<<' + # """ + # for string in self.root.findAll(text=True) : + # sys.stderr.write("root" +"\n") + # sys.stderr.write(str(self.root) +"\n") + # sys.stderr.write("parent" +"\n") + # sys.stderr.write(str(string.parent) +"\n") + # new_string = unicode(string) + # sys.stderr.write(string +"\n") + # for special_char in XML_ENTITIES.keys() : + # sys.stderr.write(special_char +"\n") + # string.replaceWith( + # new_string.replace(special_char, XML_ENTITIES[special_char]) + # ) + + + def disgorge_elem(self, elem): + """ + remove the given element from the soup and replaces it with its own contents + actually tricky, since you can't replace an element with an list of elements + using replaceWith + >>> disgorgeable_string = 'A B C' + >>> c = Cleaner() + >>> c.string = disgorgeable_string + >>> elem = c._soup.find('em') + >>> c.disgorge_elem(elem) + >>> c.string + u'A B C' + >>> c.string = disgorgeable_string + >>> elem = c._soup.find('body') + >>> c.disgorge_elem(elem) + >>> c.string + u'A B C' + >>> c.string = '' + line + '
' for line in LINE_EXTRACTION_RE.findall(self.string) + ]) + +def _test(): + import doctest + doctest.testmod() + +if __name__ == "__main__": + _test() + + +# def cast_input_to_soup(fn): +# """ +# Decorate function to handle strings as BeautifulSoups transparently +# """ +# def stringy_version(input, *args, **kwargs) : +# if not isinstance(input,BeautifulSoup) : +# input=BeautifulSoup(input) +# return fn(input, *args, **kwargs) +# return stringy_version