Hello community, here is the log from the commit of package python-mistune for openSUSE:Factory checked in at 2017-04-12 17:35:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-mistune (Old) and /work/SRC/openSUSE:Factory/.python-mistune.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-mistune" Wed Apr 12 17:35:44 2017 rev:3 rq:486644 version:0.7.4 Changes: -------- --- /work/SRC/openSUSE:Factory/python-mistune/python-mistune.changes 2015-08-21 07:40:39.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python-mistune.new/python-mistune.changes 2017-04-12 18:20:05.345098552 +0200 @@ -1,0 +2,30 @@ +Fri Apr 7 21:13:02 UTC 2017 - [email protected] + +- Fix source url. + +------------------------------------------------------------------- +Fri Apr 7 20:00:54 UTC 2017 - [email protected] + +- update to version 0.7.4: + * Fix escape_link method by Marcos Ojeda + * Handle block HTML with no content by David Baumgold + * Use expandtabs for tab + * Fix escape option for text renderer + * Fix HTML attribute regex pattern +- update to version 0.7.3: + * Fix strikethrough regex + * Fix HTML attribute regex + * Fix close tag regex +- update to version 0.7.2: + * Fix hard_wrap options on renderer. + * Fix emphasis regex pattern + * Fix base64 image link #80. + * Fix link security per #87. +- update to version 0.7.1: + * Fix inline html when there is no content per #71. +- specfile: + * Initial singlespec version + * update copyright year + * updated source url to files.pythonhosted.org + +------------------------------------------------------------------- Old: ---- mistune-0.7.tar.gz New: ---- mistune-0.7.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-mistune.spec ++++++ --- /var/tmp/diff_new_pack.2hkgqh/_old 2017-04-12 18:20:06.836887605 +0200 +++ /var/tmp/diff_new_pack.2hkgqh/_new 2017-04-12 18:20:06.840887040 +0200 @@ -1,7 +1,7 @@ # # spec file for package python-mistune # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,24 +16,24 @@ # +%{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-mistune -Version: 0.7 +Version: 0.7.4 Release: 0 Summary: The fastest markdown parser in pure Python License: BSD-3-Clause Group: Development/Languages/Python Url: https://github.com/lepture/mistune -Source0: https://pypi.python.org/packages/source/m/mistune/mistune-%{version}.tar.gz +Source0: https://files.pythonhosted.org/packages/source/m/mistune/mistune-%{version}.tar.gz BuildRequires: fdupes -BuildRequires: python-devel -BuildRequires: python-nose -BuildRequires: python-setuptools +BuildRequires: python-rpm-macros +BuildRequires: %{python_module Cython} +BuildRequires: %{python_module devel} +BuildRequires: %{python_module nose} +BuildRequires: %{python_module setuptools} BuildRoot: %{_tmppath}/%{name}-%{version}-build -%if 0%{?suse_version} && 0%{?suse_version} <= 1110 -%{!?python_sitelib: %global python_sitelib %(python -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} -%else -BuildArch: noarch -%endif + +%python_subpackages %description The fastest markdown parser in pure Python, inspired by marked. @@ -42,15 +42,18 @@ %setup -q -n mistune-%{version} %build -python setup.py build +%python_build %install -python setup.py install --prefix=%{_prefix} --root=%{buildroot} -%fdupes %{buildroot} +%python_install +%python_expand %fdupes %{buildroot}%{$python_sitelib} + +%check +%python_expand nosetests-%{$python_bin_suffix} -%files +%files %{python_files} %defattr(-,root,root) -%doc LICENSE README.rst -%{python_sitelib}/* +%doc CHANGES.rst LICENSE README.rst +%{python_sitearch}/* %changelog ++++++ mistune-0.7.tar.gz -> mistune-0.7.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7/CHANGES.rst new/mistune-0.7.4/CHANGES.rst --- old/mistune-0.7/CHANGES.rst 2015-07-18 14:35:33.000000000 +0200 +++ new/mistune-0.7.4/CHANGES.rst 2017-03-14 07:58:34.000000000 +0100 @@ -3,6 +3,50 @@ Here is the full history of mistune. +Version 0.7.4 +~~~~~~~~~~~~~ + +Released on Mar. 14, 2017 + +* Fix escape_link method by Marcos Ojeda +* Handle block HTML with no content by David Baumgold +* Use expandtabs for tab +* Fix escape option for text renderer +* Fix HTML attribute regex pattern + +Version 0.7.3 +~~~~~~~~~~~~~ + +Released on Jun. 28, 2016 + +* Fix strikethrough regex +* Fix HTML attribute regex +* Fix close tag regex + +Version 0.7.2 +~~~~~~~~~~~~~ + +Released on Feb. 26, 2016 + +* Fix `hard_wrap` options on renderer. +* Fix emphasis regex pattern +* Fix base64 image link `#80`_. +* Fix link security per `#87`_. + +.. _`#80`: https://github.com/lepture/mistune/issues/80 +.. _`#87`: https://github.com/lepture/mistune/issues/87 + + +Version 0.7.1 +~~~~~~~~~~~~~ + +Released on Aug. 22, 2015 + +* Fix inline html when there is no content per `#71`_. + +.. _`#71`: https://github.com/lepture/mistune/issues/71 + + Version 0.7 ~~~~~~~~~~~ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7/PKG-INFO new/mistune-0.7.4/PKG-INFO --- old/mistune-0.7/PKG-INFO 2015-07-18 15:20:19.000000000 +0200 +++ new/mistune-0.7.4/PKG-INFO 2017-03-14 07:59:57.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: mistune -Version: 0.7 +Version: 0.7.4 Summary: The fastest markdown parser in pure Python Home-page: https://github.com/lepture/mistune Author: Hsiaoming Yang @@ -12,9 +12,15 @@ The fastest markdown parser in pure Python with renderer features, inspired by marked_. + .. image:: https://img.shields.io/badge/donate-lepture-green.svg + :target: https://lepture.herokuapp.com/?amount=1000&reason=lepture%2Fmistune + :alt: Donate lepture .. image:: https://img.shields.io/pypi/wheel/mistune.svg?style=flat :target: https://pypi.python.org/pypi/mistune/ :alt: Wheel Status + .. image:: https://anaconda.org/conda-forge/mistune/badges/version.svg + :target: https://anaconda.org/conda-forge/mistune + :alt: Conda Version .. image:: https://img.shields.io/pypi/v/mistune.svg :target: https://pypi.python.org/pypi/mistune/ :alt: Latest Version @@ -24,7 +30,7 @@ .. image:: https://coveralls.io/repos/lepture/mistune/badge.svg?branch=master :target: https://coveralls.io/r/lepture/mistune :alt: Coverage Status - .. image:: https://ci.appveyor.com/api/projects/status/8ai8tfwp75oela17 + .. image:: https://ci.appveyor.com/api/projects/status/8ai8tfwp75oela17?svg=true :target: https://ci.appveyor.com/project/lepture/mistune :alt: App Veyor CI Status @@ -93,6 +99,7 @@ * **escape**: if set to *False*, all raw html tags will not be escaped. * **hard_wrap**: if set to *True*, it will has GFM line breaks feature. + All new lines will be replaced with ``<br>`` tag * **use_xhtml**: if set to *True*, all tags will be in xhtml, for example: ``<hr />``. * **parse_block_html**: parse text only in block level html. * **parse_inline_html**: parse text only in inline level html. @@ -118,7 +125,7 @@ import mistune from pygments import highlight from pygments.lexers import get_lexer_by_name - from pygments.formatters import HtmlFormatter + from pygments.formatters import html class HighlightRenderer(mistune.Renderer): def block_code(self, code, lang): @@ -126,7 +133,7 @@ return '\n<pre><code>%s</code></pre>\n' % \ mistune.escape(code) lexer = get_lexer_by_name(lang, stripall=True) - formatter = HtmlFormatter() + formatter = html.HtmlFormatter() return highlight(code, lexer, formatter) renderer = HighlightRenderer() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7/README.rst new/mistune-0.7.4/README.rst --- old/mistune-0.7/README.rst 2015-07-18 14:41:33.000000000 +0200 +++ new/mistune-0.7.4/README.rst 2016-11-16 03:31:26.000000000 +0100 @@ -4,9 +4,15 @@ The fastest markdown parser in pure Python with renderer features, inspired by marked_. +.. image:: https://img.shields.io/badge/donate-lepture-green.svg + :target: https://lepture.herokuapp.com/?amount=1000&reason=lepture%2Fmistune + :alt: Donate lepture .. image:: https://img.shields.io/pypi/wheel/mistune.svg?style=flat :target: https://pypi.python.org/pypi/mistune/ :alt: Wheel Status +.. image:: https://anaconda.org/conda-forge/mistune/badges/version.svg + :target: https://anaconda.org/conda-forge/mistune + :alt: Conda Version .. image:: https://img.shields.io/pypi/v/mistune.svg :target: https://pypi.python.org/pypi/mistune/ :alt: Latest Version @@ -16,7 +22,7 @@ .. image:: https://coveralls.io/repos/lepture/mistune/badge.svg?branch=master :target: https://coveralls.io/r/lepture/mistune :alt: Coverage Status -.. image:: https://ci.appveyor.com/api/projects/status/8ai8tfwp75oela17 +.. image:: https://ci.appveyor.com/api/projects/status/8ai8tfwp75oela17?svg=true :target: https://ci.appveyor.com/project/lepture/mistune :alt: App Veyor CI Status @@ -85,6 +91,7 @@ * **escape**: if set to *False*, all raw html tags will not be escaped. * **hard_wrap**: if set to *True*, it will has GFM line breaks feature. + All new lines will be replaced with ``<br>`` tag * **use_xhtml**: if set to *True*, all tags will be in xhtml, for example: ``<hr />``. * **parse_block_html**: parse text only in block level html. * **parse_inline_html**: parse text only in inline level html. @@ -110,7 +117,7 @@ import mistune from pygments import highlight from pygments.lexers import get_lexer_by_name - from pygments.formatters import HtmlFormatter + from pygments.formatters import html class HighlightRenderer(mistune.Renderer): def block_code(self, code, lang): @@ -118,7 +125,7 @@ return '\n<pre><code>%s</code></pre>\n' % \ mistune.escape(code) lexer = get_lexer_by_name(lang, stripall=True) - formatter = HtmlFormatter() + formatter = html.HtmlFormatter() return highlight(code, lexer, formatter) renderer = HighlightRenderer() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7/mistune.egg-info/PKG-INFO new/mistune-0.7.4/mistune.egg-info/PKG-INFO --- old/mistune-0.7/mistune.egg-info/PKG-INFO 2015-07-18 15:20:17.000000000 +0200 +++ new/mistune-0.7.4/mistune.egg-info/PKG-INFO 2017-03-14 07:59:57.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: mistune -Version: 0.7 +Version: 0.7.4 Summary: The fastest markdown parser in pure Python Home-page: https://github.com/lepture/mistune Author: Hsiaoming Yang @@ -12,9 +12,15 @@ The fastest markdown parser in pure Python with renderer features, inspired by marked_. + .. image:: https://img.shields.io/badge/donate-lepture-green.svg + :target: https://lepture.herokuapp.com/?amount=1000&reason=lepture%2Fmistune + :alt: Donate lepture .. image:: https://img.shields.io/pypi/wheel/mistune.svg?style=flat :target: https://pypi.python.org/pypi/mistune/ :alt: Wheel Status + .. image:: https://anaconda.org/conda-forge/mistune/badges/version.svg + :target: https://anaconda.org/conda-forge/mistune + :alt: Conda Version .. image:: https://img.shields.io/pypi/v/mistune.svg :target: https://pypi.python.org/pypi/mistune/ :alt: Latest Version @@ -24,7 +30,7 @@ .. image:: https://coveralls.io/repos/lepture/mistune/badge.svg?branch=master :target: https://coveralls.io/r/lepture/mistune :alt: Coverage Status - .. image:: https://ci.appveyor.com/api/projects/status/8ai8tfwp75oela17 + .. image:: https://ci.appveyor.com/api/projects/status/8ai8tfwp75oela17?svg=true :target: https://ci.appveyor.com/project/lepture/mistune :alt: App Veyor CI Status @@ -93,6 +99,7 @@ * **escape**: if set to *False*, all raw html tags will not be escaped. * **hard_wrap**: if set to *True*, it will has GFM line breaks feature. + All new lines will be replaced with ``<br>`` tag * **use_xhtml**: if set to *True*, all tags will be in xhtml, for example: ``<hr />``. * **parse_block_html**: parse text only in block level html. * **parse_inline_html**: parse text only in inline level html. @@ -118,7 +125,7 @@ import mistune from pygments import highlight from pygments.lexers import get_lexer_by_name - from pygments.formatters import HtmlFormatter + from pygments.formatters import html class HighlightRenderer(mistune.Renderer): def block_code(self, code, lang): @@ -126,7 +133,7 @@ return '\n<pre><code>%s</code></pre>\n' % \ mistune.escape(code) lexer = get_lexer_by_name(lang, stripall=True) - formatter = HtmlFormatter() + formatter = html.HtmlFormatter() return highlight(code, lexer, formatter) renderer = HighlightRenderer() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7/mistune.py new/mistune-0.7.4/mistune.py --- old/mistune-0.7/mistune.py 2015-07-18 14:38:39.000000000 +0200 +++ new/mistune-0.7.4/mistune.py 2017-03-14 07:58:34.000000000 +0100 @@ -5,13 +5,13 @@ The fastest markdown parser in pure Python with renderer feature. - :copyright: (c) 2014 - 2015 by Hsiaoming Yang. + :copyright: (c) 2014 - 2017 by Hsiaoming Yang. """ import re import inspect -__version__ = '0.7' +__version__ = '0.7.4' __author__ = 'Hsiaoming Yang <[email protected]>' __all__ = [ 'BlockGrammar', 'BlockLexer', @@ -22,8 +22,11 @@ _key_pattern = re.compile(r'\s+') +_nonalpha_pattern = re.compile(r'\W') _escape_pattern = re.compile(r'&(?!#?\w+;)') _newline_pattern = re.compile(r'\r\n|\r') +_block_quote_leading_pattern = re.compile(r'^ *> ?', flags=re.M) +_block_code_leading_pattern = re.compile(r'^ {4}', re.M) _inline_tags = [ 'a', 'em', 'strong', 'small', 's', 'cite', 'q', 'dfn', 'abbr', 'data', 'time', 'code', 'var', 'samp', 'kbd', 'sub', 'sup', 'i', 'b', 'u', 'mark', @@ -32,8 +35,9 @@ ] _pre_tags = ['pre', 'script', 'style'] _valid_end = r'(?!:/|[^\w\s@]*@)\b' -_valid_attr = r'''"[^"]*"|'[^']*'|[^'">]''' +_valid_attr = r'''\s*[a-zA-Z\-](?:\=(?:"[^"]*"|'[^']*'|[^\s'">]+))?''' _block_tag = r'(?!(?:%s)\b)\w+%s' % ('|'.join(_inline_tags), _valid_end) +_scheme_blacklist = ('javascript:', 'vbscript:') def _pure_pattern(regex): @@ -68,9 +72,18 @@ return text +def escape_link(url): + """Remove dangerous URL schemes like javascript: and escape afterwards.""" + lower_url = url.lower().strip('\x00\x1a \n\r\t') + for scheme in _scheme_blacklist: + if lower_url.startswith(scheme): + return '' + return escape(url, quote=True, smart_amp=False) + + def preprocessing(text, tab=4): text = _newline_pattern.sub('\n', text) - text = text.replace('\t', ' ' * tab) + text = text.expandtabs(tab) text = text.replace('\u00a0', ' ') text = text.replace('\u2424', '\n') pattern = re.compile(r'^ +$', re.M) @@ -142,8 +155,8 @@ block_html = re.compile( r'^ *(?:%s|%s|%s) *(?:\n{2,}|\s*$)' % ( r'<!--[\s\S]*?-->', - r'<(%s)((?:%s)*?)>([\s\S]+?)<\/\1>' % (_block_tag, _valid_attr), - r'<%s(?:%s)*?>' % (_block_tag, _valid_attr), + r'<(%s)((?:%s)*?)>([\s\S]*?)<\/\1>' % (_block_tag, _valid_attr), + r'<%s(?:%s)*?\s*\/?>' % (_block_tag, _valid_attr), ) ) table = re.compile( @@ -221,9 +234,8 @@ self.tokens.append({'type': 'newline'}) def parse_block_code(self, m): - code = m.group(0) - pattern = re.compile(r'^ {4}', re.M) - code = pattern.sub('', code) + # clean leading whitespace + code = _block_code_leading_pattern.sub('', m.group(0)) self.tokens.append({ 'type': 'code', 'lang': None, @@ -284,7 +296,7 @@ pattern = re.compile(r'^ {1,%d}' % space, flags=re.M) item = pattern.sub('', item) - # determin whether item is loose or not + # determine whether item is loose or not loose = _next if not loose and re.search(r'\n\n(?!\s*$)', item): loose = True @@ -307,9 +319,8 @@ def parse_block_quote(self, m): self.tokens.append({'type': 'block_quote_start'}) - cap = m.group(0) - pattern = re.compile(r'^ *> ?', flags=re.M) - cap = pattern.sub('', cap) + # clean leading > + cap = _block_quote_leading_pattern.sub('', m.group(0)) self.parse(cap) self.tokens.append({'type': 'block_quote_end'}) @@ -434,8 +445,8 @@ inline_html = re.compile( r'^(?:%s|%s|%s)' % ( r'<!--[\s\S]*?-->', - r'<(\w+%s)((?:%s)*?)>([\s\S]+?)<\/\1>' % (_valid_end, _valid_attr), - r'<\w+%s(?:%s)*?>' % (_valid_end, _valid_attr), + r'<(\w+%s)((?:%s)*?)\s*>([\s\S]*?)<\/\1>' % (_valid_end, _valid_attr), + r'<\w+%s(?:%s)*?\s*\/?>' % (_valid_end, _valid_attr), ) ) autolink = re.compile(r'^<([^ >]+(@|:)[^ >]+)>') @@ -459,13 +470,13 @@ r'^\*{2}([\s\S]+?)\*{2}(?!\*)' # **word** ) emphasis = re.compile( - r'^\b_((?:__|[\s\S])+?)_\b' # _word_ + r'^\b_((?:__|[^_])+?)_\b' # _word_ r'|' - r'^\*((?:\*\*|[\s\S])+?)\*(?!\*)' # *word* + r'^\*((?:\*\*|[^\*])+?)\*(?!\*)' # *word* ) code = re.compile(r'^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)') # `code` linebreak = re.compile(r'^ {2,}\n(?!\s*$)') - strikethrough = re.compile(r'^~~(?=\S)([\s\S]+?\S)~~') # ~~word~~ + strikethrough = re.compile(r'^~~(?=\S)([\s\S]*?\S)~~') # ~~word~~ footnote = re.compile(r'^\[\^([^\]]+)\]') text = re.compile(r'^[\s\S]+?(?=[\\<!\[_*`~]|https?://| {2,}\n|$)') @@ -504,12 +515,14 @@ if not rules: rules = self.grammar_class() + kwargs.update(self.renderer.options) + if kwargs.get('hard_wrap'): + rules.hard_wrap() + self.rules = rules self._in_link = False self._in_footnote = False - - kwargs.update(self.renderer.options) self._parse_inline_html = kwargs.get('parse_inline_html') def __call__(self, text, rules=None): @@ -542,10 +555,8 @@ return m, out return False # pragma: no cover - self.line_started = False while text: ret = manipulate(text) - self.line_started = True if ret is not False: m, out = ret output += out @@ -557,7 +568,8 @@ return output def output_escape(self, m): - return m.group(1) + text = m.group(1) + return self.renderer.escape(text) def output_autolink(self, m): link = m.group(1) @@ -816,6 +828,15 @@ :param text: text content. """ + if self.options.get('parse_block_html'): + return text + return escape(text) + + def escape(self, text): + """Rendering escape sequence. + + :param text: text content. + """ return escape(text) def autolink(self, link, is_email=False): @@ -836,8 +857,7 @@ :param title: title content for `title` attribute. :param text: text content for description. """ - if link.startswith('javascript:'): - link = '' + link = escape_link(link) if not title: return '<a href="%s">%s</a>' % (link, text) title = escape(title, quote=True) @@ -850,8 +870,7 @@ :param title: title text of the image. :param text: alt text of the image. """ - if src.startswith('javascript:'): - src = '' + src = escape_link(src) text = escape(text, quote=True) if title: title = escape(title, quote=True) @@ -923,6 +942,8 @@ def __init__(self, renderer=None, inline=None, block=None, **kwargs): if not renderer: renderer = Renderer(**kwargs) + else: + kwargs.update(renderer.options) self.renderer = renderer @@ -934,13 +955,9 @@ if inline: self.inline = inline else: - rules = InlineGrammar() - if kwargs.get('hard_wrap'): - rules.hard_wrap() - self.inline = InlineLexer(renderer, rules=rules) + self.inline = InlineLexer(renderer, **kwargs) self.block = block or BlockLexer(BlockGrammar()) - self.options = kwargs self.footnotes = [] self.tokens = [] @@ -1134,7 +1151,7 @@ :param text: markdown formatted text content. :param escape: if set to False, all html tags will not be escaped. :param use_xhtml: output with xhtml tags. - :param hard_wrap: if set to True, it will has GFM line breaks feature. + :param hard_wrap: if set to True, it will use the GFM line breaks feature. :param parse_block_html: parse text only in block level html. :param parse_inline_html: parse text only in inline level html. """ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7/tests/fixtures/extra/escaped_angles.html new/mistune-0.7.4/tests/fixtures/extra/escaped_angles.html --- old/mistune-0.7/tests/fixtures/extra/escaped_angles.html 2014-10-11 04:12:04.000000000 +0200 +++ new/mistune-0.7.4/tests/fixtures/extra/escaped_angles.html 2016-11-16 03:31:26.000000000 +0100 @@ -1 +1 @@ -<p>></p> +<p>></p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7/tests/fixtures/extra/gfm_del.html new/mistune-0.7.4/tests/fixtures/extra/gfm_del.html --- old/mistune-0.7/tests/fixtures/extra/gfm_del.html 2014-10-11 04:12:04.000000000 +0200 +++ new/mistune-0.7.4/tests/fixtures/extra/gfm_del.html 2016-11-16 03:31:26.000000000 +0100 @@ -1 +1 @@ -<p>hello <del>hi</del> world</p> +<p>hello <del>hi</del> world <del>how</del> are <del>you</del> ~~ today~~?</p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7/tests/fixtures/extra/gfm_del.text new/mistune-0.7.4/tests/fixtures/extra/gfm_del.text --- old/mistune-0.7/tests/fixtures/extra/gfm_del.text 2014-10-11 04:12:04.000000000 +0200 +++ new/mistune-0.7.4/tests/fixtures/extra/gfm_del.text 2016-11-16 03:31:26.000000000 +0100 @@ -1 +1 @@ -hello ~~hi~~ world +hello ~~hi~~ world ~~how~~ are ~~you~~ ~~ today~~? diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7/tests/fixtures/normal/amps_and_angles_encoding.html new/mistune-0.7.4/tests/fixtures/normal/amps_and_angles_encoding.html --- old/mistune-0.7/tests/fixtures/normal/amps_and_angles_encoding.html 2014-10-11 04:12:04.000000000 +0200 +++ new/mistune-0.7.4/tests/fixtures/normal/amps_and_angles_encoding.html 2016-11-16 03:31:26.000000000 +0100 @@ -8,10 +8,10 @@ <p>6 > 5.</p> -<p>Here's a <a href="http://example.com/?foo=1&bar=2";>link</a> with an ampersand in the URL.</p> +<p>Here's a <a href="http://example.com/?foo=1&bar=2";>link</a> with an ampersand in the URL.</p> <p>Here's a link with an amersand in the link text: <a href="http://att.com/"; title="AT&T">AT&T</a>.</p> -<p>Here's an inline <a href="/script?foo=1&bar=2">link</a>.</p> +<p>Here's an inline <a href="/script?foo=1&bar=2">link</a>.</p> -<p>Here's an inline <a href="/script?foo=1&bar=2">link</a>.</p> +<p>Here's an inline <a href="/script?foo=1&bar=2">link</a>.</p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7/tests/fixtures/normal/backslash_escapes.html new/mistune-0.7.4/tests/fixtures/normal/backslash_escapes.html --- old/mistune-0.7/tests/fixtures/normal/backslash_escapes.html 2014-10-11 04:12:04.000000000 +0200 +++ new/mistune-0.7.4/tests/fixtures/normal/backslash_escapes.html 2016-11-16 03:31:26.000000000 +0100 @@ -20,7 +20,7 @@ <p>Right paren: )</p> -<p>Greater-than: ></p> +<p>Greater-than: ></p> <p>Hash: #</p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7/tests/fixtures/normal/inline_html_simple.html new/mistune-0.7.4/tests/fixtures/normal/inline_html_simple.html --- old/mistune-0.7/tests/fixtures/normal/inline_html_simple.html 2014-10-11 04:12:04.000000000 +0200 +++ new/mistune-0.7.4/tests/fixtures/normal/inline_html_simple.html 2016-11-16 03:31:26.000000000 +0100 @@ -70,3 +70,13 @@ <hr class="foo" id="bar"/> <hr class="foo" id="bar" > + +<p>iframe:</p> + +<iframe width="100%" height="410" frameborder="0" allowfullscreen="allowfullscreen" src="https://www.youtube.com/embed/lTWTCwuPdrU?autoplay=0&fs=1";></iframe> + +<p>iframe with content:</p> + +<iframe src="https://example.com";> + whee +</iframe> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7/tests/fixtures/normal/inline_html_simple.text new/mistune-0.7.4/tests/fixtures/normal/inline_html_simple.text --- old/mistune-0.7/tests/fixtures/normal/inline_html_simple.text 2014-10-11 04:12:04.000000000 +0200 +++ new/mistune-0.7.4/tests/fixtures/normal/inline_html_simple.text 2016-11-16 03:31:26.000000000 +0100 @@ -67,3 +67,12 @@ <hr class="foo" id="bar" > +iframe: + +<iframe width="100%" height="410" frameborder="0" allowfullscreen="allowfullscreen" src="https://www.youtube.com/embed/lTWTCwuPdrU?autoplay=0&fs=1";></iframe> + +iframe with content: + +<iframe src="https://example.com";> + whee +</iframe> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7/tests/test_cases.py new/mistune-0.7.4/tests/test_cases.py --- old/mistune-0.7/tests/test_cases.py 2015-07-12 05:48:00.000000000 +0200 +++ new/mistune-0.7.4/tests/test_cases.py 2016-11-16 03:31:26.000000000 +0100 @@ -5,12 +5,7 @@ root = os.path.dirname(__file__) known = [] - -rules = [ - 'table', 'fenced_code', 'footnotes', - 'autolink', 'strikethrough', -] -m = mistune.Markdown(rules=rules) +m = mistune.Markdown() def render(folder, name): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mistune-0.7/tests/test_extra.py new/mistune-0.7.4/tests/test_extra.py --- old/mistune-0.7/tests/test_extra.py 2015-07-13 09:41:24.000000000 +0200 +++ new/mistune-0.7.4/tests/test_extra.py 2017-03-14 07:58:34.000000000 +0100 @@ -18,10 +18,25 @@ def test_safe_links(): - ret = mistune.markdown('javascript  alert') - assert 'src=""' in ret - ret = mistune.markdown('javascript [foo](<javascript:alert>) alert') - assert 'href=""' in ret + attack_vectors = ( + # "standard" javascript pseudo protocol + ('javascript:alert`1`', ''), + # bypass attempt + ('jAvAsCrIpT:alert`1`', ''), + # javascript pseudo protocol with entities + ('javascript:alert`1`', 'javascript&colon;alert`1`'), + # javascript pseudo protocol with prefix (dangerous in Chrome) + ('\x1Ajavascript:alert`1`', ''), + # vbscript-URI (dangerous in Internet Explorer) + ('vbscript:msgbox', ''), + # breaking out of the attribute + ('"<>', '"<>'), + ) + for vector, expected in attack_vectors: + # image + assert 'src="%s"' % expected in mistune.markdown('' % vector) + # link + assert 'href="%s"' % expected in mistune.markdown('[atk](%s)' % vector) def test_skip_style(): @@ -54,12 +69,45 @@ ) assert '<span><strong>' in ret + ret = mistune.markdown( + '<span id="foo">**foo**</span>', parse_inline_html=True, escape=False + ) + assert '<span id="foo"><strong>' in ret + + ret = mistune.markdown( + '<span id=foo>**foo**</span>', parse_inline_html=True, escape=False + ) + assert '<span id=foo><strong>' in ret + + ret = mistune.markdown( + '<a>http://lepture.com</a>', parse_inline_html=True, escape=False + ) + assert 'href' not in ret + + +def test_block_html(): + ret = mistune.markdown( + '<div ></div>', escape=False + ) + assert '<div ></div>' in ret + def test_parse_block_html(): ret = mistune.markdown( '<div>**foo**</div>', parse_block_html=True, escape=False ) assert '<div><strong>' in ret + + ret = mistune.markdown( + '<div id="foo">**foo**</div>', parse_block_html=True, escape=False + ) + assert '<div id="foo"><strong>' in ret + + ret = mistune.markdown( + '<div id=foo>**foo**</div>', parse_block_html=True, escape=False + ) + assert '<div id=foo><strong>' in ret + ret = mistune.markdown( '<span>**foo**</span>', parse_block_html=True, escape=False ) @@ -79,3 +127,15 @@ def test_not_escape_block_tags(): text = '<h1>heading</h1> text' assert text in mistune.markdown(text, escape=False) + + +def test_not_escape_inline_tags(): + text = '<a name="top"></a>' + assert text in mistune.markdown(text, escape=False) + + +def test_hard_wrap_renderer(): + text = 'foo\nnewline' + renderer = mistune.Renderer(hard_wrap=True) + func = mistune.Markdown(renderer=renderer) + assert '<br>' in func(text)
