Hello community, here is the log from the commit of package python-bleach for openSUSE:Factory checked in at 2020-03-27 00:28:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-bleach (Old) and /work/SRC/openSUSE:Factory/.python-bleach.new.3160 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-bleach" Fri Mar 27 00:28:19 2020 rev:9 rq:787398 version:3.1.3 Changes: -------- --- /work/SRC/openSUSE:Factory/python-bleach/python-bleach.changes 2020-03-08 22:22:02.591999930 +0100 +++ /work/SRC/openSUSE:Factory/.python-bleach.new.3160/python-bleach.changes 2020-03-27 00:28:20.960349560 +0100 @@ -1,0 +2,20 @@ +Mon Mar 23 10:09:15 UTC 2020 - Dirk Mueller <[email protected]> + +- update to 3.1.3 (bsc#1167379): + * Add relative link to code of conduct. (#442) + * Drop deprecated 'setup.py test' support. (#507) + * Fix typo: curren -> current in tests/test_clean.py (#504) + * Test on PyPy 7 + * Drop test support for end of life Python 3.4 + * ``bleach.clean`` behavior parsing embedded MathML and SVG content + with RCDATA tags did not match browser behavior and could result in + a mutation XSS. + Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or + ``svg`` tags and one or more of the RCDATA tags ``script``, + ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or + ``xmp`` in the allowed tags whitelist were vulnerable to a mutation + XSS. + This security issue was confirmed in Bleach version v3.1.1. Earlier + versions are likely affected too. + +------------------------------------------------------------------- Old: ---- bleach-3.1.1.tar.gz New: ---- bleach-3.1.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-bleach.spec ++++++ --- /var/tmp/diff_new_pack.NyFNLB/_old 2020-03-27 00:28:22.164350170 +0100 +++ /var/tmp/diff_new_pack.NyFNLB/_new 2020-03-27 00:28:22.164350170 +0100 @@ -19,7 +19,7 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-bleach -Version: 3.1.1 +Version: 3.1.3 Release: 0 Summary: A whitelist-based HTML-sanitizing tool License: Apache-2.0 @@ -56,7 +56,7 @@ %prep %setup -q -n bleach-%{version} -%patch0 -p1 +%patch0 rm -rf bleach/_vendor %build ++++++ bleach-3.1.1.tar.gz -> bleach-3.1.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/CHANGES new/bleach-3.1.3/CHANGES --- old/bleach-3.1.1/CHANGES 2020-02-19 18:34:36.000000000 +0100 +++ new/bleach-3.1.3/CHANGES 2020-03-17 16:28:50.000000000 +0100 @@ -1,6 +1,67 @@ Bleach changes ============== +Version 3.1.3 (March 17th, 2020) +-------------------------------- + +**Security fixes** + +None + +**Backwards incompatible changes** + +None + +**Features** + +* Add relative link to code of conduct. (#442) + +* Drop deprecated 'setup.py test' support. (#507) + +* Fix typo: curren -> current in tests/test_clean.py (#504) + +* Test on PyPy 7 + +* Drop test support for end of life Python 3.4 + +**Bug fixes** + +None + +Version 3.1.2 (March 11th, 2020) +-------------------------------- + +**Security fixes** + +* ``bleach.clean`` behavior parsing embedded MathML and SVG content + with RCDATA tags did not match browser behavior and could result in + a mutation XSS. + + Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or + ``svg`` tags and one or more of the RCDATA tags ``script``, + ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or + ``xmp`` in the allowed tags whitelist were vulnerable to a mutation + XSS. + + This security issue was confirmed in Bleach version v3.1.1. Earlier + versions are likely affected too. + + Anyone using Bleach <=v3.1.1 is encouraged to upgrade. + + https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 + +**Backwards incompatible changes** + +None + +**Features** + +None + +**Bug fixes** + +None + Version 3.1.1 (February 13th, 2020) ----------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/CONTRIBUTORS new/bleach-3.1.3/CONTRIBUTORS --- old/bleach-3.1.1/CONTRIBUTORS 2020-02-13 20:19:16.000000000 +0100 +++ new/bleach-3.1.3/CONTRIBUTORS 2020-03-17 16:26:03.000000000 +0100 @@ -1,12 +1,13 @@ Bleach was originally written and maintained by James Socol and various contributors within and without the Mozilla Corporation and Foundation. -It is currently maintained by Will Kahn-Greene an Greg Guthe. +It is currently maintained by Will Kahn-Greene, Greg Guthe, and Jon Dufresne. Maintainers: - Will Kahn-Greene <[email protected]> - Greg Guthe <[email protected]> +- Jon Dufresne <[email protected]> Maintainer emeritus: @@ -32,6 +33,7 @@ - Chris Beaven - Dan Gayle - dave-shawley +- dbxnr - Erik Rose - Gaurav Dadhania - Geoffrey Sneddon @@ -44,6 +46,7 @@ - Janusz Kamieński - Jeff Balogh - Jonathan Vanasco +- Jon Dufresne - Lee, Cheon-il - Les Orchard - Lorenz Schori @@ -65,6 +68,7 @@ - Stu Cox - Tim Dumol - Timothy Fitz +- Tim Gates - Vadim Kotov - Vitaly Volkov - Will Kahn-Greene diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/PKG-INFO new/bleach-3.1.3/PKG-INFO --- old/bleach-3.1.1/PKG-INFO 2020-02-19 18:39:45.758497500 +0100 +++ new/bleach-3.1.3/PKG-INFO 2020-03-17 16:29:18.039319300 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.2 Name: bleach -Version: 3.1.1 +Version: 3.1.3 Summary: An easy safelist-based HTML-sanitizing tool. Home-page: https://github.com/mozilla/bleach Maintainer: Will Kahn-Greene @@ -38,7 +38,6 @@ :Code: https://github.com/mozilla/bleach :Documentation: https://bleach.readthedocs.io/ :Issue tracker: https://github.com/mozilla/bleach/issues - :IRC: ``#bleach`` on irc.mozilla.org :License: Apache License v2; see LICENSE file @@ -105,29 +104,87 @@ u'an <script>evil()</script> example' >>> bleach.linkify('an http://example.com url') - u'an <a href="http://example.com"; rel="nofollow">http://example.com</a> url + u'an <a href="http://example.com"; rel="nofollow">http://example.com</a> url' - Code of conduct + Code of Conduct =============== This project and repository is governed by Mozilla's code of conduct and - etiquette guidelines. For more details please see the `Mozilla Community - Participation Guidelines - <https://www.mozilla.org/about/governance/policies/participation/>`_ and - `Developer Etiquette Guidelines - <https://bugzilla.mozilla.org/page.cgi?id=etiquette.html>`_. + etiquette guidelines. For more details please see the `CODE_OF_CONDUCT.md + </CODE_OF_CONDUCT.md>`_ .. _html5lib: https://github.com/html5lib/html5lib-python .. _GitHub: https://github.com/mozilla/bleach .. _ReadTheDocs: https://bleach.readthedocs.io/ - .. _PyPI: http://pypi.python.org/pypi/bleach + .. _PyPI: https://pypi.org/project/bleach/ Bleach changes ============== + Version 3.1.3 (March 17th, 2020) + -------------------------------- + + **Security fixes** + + None + + **Backwards incompatible changes** + + None + + **Features** + + * Add relative link to code of conduct. (#442) + + * Drop deprecated 'setup.py test' support. (#507) + + * Fix typo: curren -> current in tests/test_clean.py (#504) + + * Test on PyPy 7 + + * Drop test support for end of life Python 3.4 + + **Bug fixes** + + None + + Version 3.1.2 (March 11th, 2020) + -------------------------------- + + **Security fixes** + + * ``bleach.clean`` behavior parsing embedded MathML and SVG content + with RCDATA tags did not match browser behavior and could result in + a mutation XSS. + + Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or + ``svg`` tags and one or more of the RCDATA tags ``script``, + ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or + ``xmp`` in the allowed tags whitelist were vulnerable to a mutation + XSS. + + This security issue was confirmed in Bleach version v3.1.1. Earlier + versions are likely affected too. + + Anyone using Bleach <=v3.1.1 is encouraged to upgrade. + + https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 + + **Backwards incompatible changes** + + None + + **Features** + + None + + **Bug fixes** + + None + Version 3.1.1 (February 13th, 2020) ----------------------------------- @@ -767,11 +824,11 @@ Classifier: Programming Language :: Python :: 2 Classifier: Programming Language :: Python :: 2.7 Classifier: Programming Language :: Python :: 3 -Classifier: Programming Language :: Python :: 3.4 Classifier: Programming Language :: Python :: 3.5 Classifier: Programming Language :: Python :: 3.6 Classifier: Programming Language :: Python :: 3.7 +Classifier: Programming Language :: Python :: 3.8 Classifier: Programming Language :: Python :: Implementation :: CPython Classifier: Programming Language :: Python :: Implementation :: PyPy Classifier: Topic :: Software Development :: Libraries :: Python Modules -Requires-Python: >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.* +Requires-Python: >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.* diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/README.rst new/bleach-3.1.3/README.rst --- old/bleach-3.1.1/README.rst 2020-02-13 20:19:16.000000000 +0100 +++ new/bleach-3.1.3/README.rst 2020-03-17 16:26:03.000000000 +0100 @@ -30,7 +30,6 @@ :Code: https://github.com/mozilla/bleach :Documentation: https://bleach.readthedocs.io/ :Issue tracker: https://github.com/mozilla/bleach/issues -:IRC: ``#bleach`` on irc.mozilla.org :License: Apache License v2; see LICENSE file @@ -97,21 +96,18 @@ u'an <script>evil()</script> example' >>> bleach.linkify('an http://example.com url') - u'an <a href="http://example.com"; rel="nofollow">http://example.com</a> url + u'an <a href="http://example.com"; rel="nofollow">http://example.com</a> url' -Code of conduct +Code of Conduct =============== This project and repository is governed by Mozilla's code of conduct and -etiquette guidelines. For more details please see the `Mozilla Community -Participation Guidelines -<https://www.mozilla.org/about/governance/policies/participation/>`_ and -`Developer Etiquette Guidelines -<https://bugzilla.mozilla.org/page.cgi?id=etiquette.html>`_. +etiquette guidelines. For more details please see the `CODE_OF_CONDUCT.md +</CODE_OF_CONDUCT.md>`_ .. _html5lib: https://github.com/html5lib/html5lib-python .. _GitHub: https://github.com/mozilla/bleach .. _ReadTheDocs: https://bleach.readthedocs.io/ -.. _PyPI: http://pypi.python.org/pypi/bleach +.. _PyPI: https://pypi.org/project/bleach/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/bleach/__init__.py new/bleach-3.1.3/bleach/__init__.py --- old/bleach-3.1.1/bleach/__init__.py 2020-02-19 18:34:36.000000000 +0100 +++ new/bleach-3.1.3/bleach/__init__.py 2020-03-17 16:26:03.000000000 +0100 @@ -18,9 +18,9 @@ # yyyymmdd -__releasedate__ = '20200213' +__releasedate__ = '20200317' # x.y.z or x.y.z.dev0 -- semver -__version__ = '3.1.1' +__version__ = '3.1.3' VERSION = parse_version(__version__) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/bleach/callbacks.py new/bleach-3.1.3/bleach/callbacks.py --- old/bleach-3.1.1/bleach/callbacks.py 2020-02-13 17:31:31.000000000 +0100 +++ new/bleach-3.1.3/bleach/callbacks.py 2020-03-17 16:26:03.000000000 +0100 @@ -3,31 +3,31 @@ def nofollow(attrs, new=False): - href_key = (None, u'href') + href_key = (None, 'href') if href_key not in attrs: return attrs - if attrs[href_key].startswith(u'mailto:'): + if attrs[href_key].startswith('mailto:'): return attrs - rel_key = (None, u'rel') - rel_values = [val for val in attrs.get(rel_key, u'').split(u' ') if val] - if u'nofollow' not in [rel_val.lower() for rel_val in rel_values]: - rel_values.append(u'nofollow') - attrs[rel_key] = u' '.join(rel_values) + rel_key = (None, 'rel') + rel_values = [val for val in attrs.get(rel_key, '').split(' ') if val] + if 'nofollow' not in [rel_val.lower() for rel_val in rel_values]: + rel_values.append('nofollow') + attrs[rel_key] = ' '.join(rel_values) return attrs def target_blank(attrs, new=False): - href_key = (None, u'href') + href_key = (None, 'href') if href_key not in attrs: return attrs - if attrs[href_key].startswith(u'mailto:'): + if attrs[href_key].startswith('mailto:'): return attrs - attrs[(None, u'target')] = u'_blank' + attrs[(None, 'target')] = '_blank' return attrs diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/bleach/html5lib_shim.py new/bleach-3.1.3/bleach/html5lib_shim.py --- old/bleach-3.1.1/bleach/html5lib_shim.py 2020-02-19 18:34:36.000000000 +0100 +++ new/bleach-3.1.3/bleach/html5lib_shim.py 2020-03-17 16:26:03.000000000 +0100 @@ -37,11 +37,11 @@ ENTITIES_TRIE = Trie(ENTITIES) #: Token type constants--these never change -TAG_TOKEN_TYPES = set([ +TAG_TOKEN_TYPES = { constants.tokenTypes['StartTag'], constants.tokenTypes['EndTag'], constants.tokenTypes['EmptyTag'] -]) +} CHARACTERS_TYPE = constants.tokenTypes['Characters'] PARSEERROR_TYPE = constants.tokenTypes['ParseError'] @@ -256,7 +256,8 @@ yield token elif ((last_error_token['data'] == 'expected-closing-tag-but-got-char' and - token['data'].lower().strip() not in self.parser.tags)): + self.parser.tags is not None and + token['data'].lower().strip() not in self.parser.tags)): # We've got either a malformed tag or a pseudo-tag or # something that html5lib wants to turn into a malformed # comment which Bleach clean() will drop so we interfere @@ -452,7 +453,7 @@ new_text.append(part) - return u''.join(new_text) + return ''.join(new_text) def match_entity(stream): @@ -533,7 +534,18 @@ class BleachHTMLSerializer(HTMLSerializer): - """HTMLSerializer that undoes & -> & in attributes""" + """HTMLSerializer that undoes & -> & in attributes and sets + escape_rcdata to True + """ + + # per the HTMLSerializer.__init__ docstring: + # + # Whether to escape characters that need to be + # escaped within normal elements within rcdata elements such as + # style. + # + escape_rcdata = True + def escape_base_amp(self, stoken): """Escapes just bare & in HTML attribute values""" # First, undo escaping of &. We need to do this because html5lib's @@ -557,7 +569,7 @@ yield '&' + entity + ';' # Length of the entity plus 2--one for & at the beginning - # and and one for ; at the end + # and one for ; at the end part = part[len(entity) + 2:] if part: yield part diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/bleach/linkifier.py new/bleach-3.1.3/bleach/linkifier.py --- old/bleach-3.1.1/bleach/linkifier.py 2020-02-13 20:19:16.000000000 +0100 +++ new/bleach-3.1.3/bleach/linkifier.py 2020-03-17 16:26:03.000000000 +0100 @@ -49,7 +49,7 @@ (?:[/?][^\s\{{\}}\|\\\^\[\]`<>"]*)? # /path/zz (excluding "unsafe" chars from RFC 1738, # except for # and ~, which happen in practice) - """.format('|'.join(protocols), '|'.join(tlds)), + """.format('|'.join(sorted(protocols)), '|'.join(sorted(tlds))), re.IGNORECASE | re.VERBOSE | re.UNICODE) @@ -59,15 +59,31 @@ PROTO_RE = re.compile(r'^[\w-]+:/{0,3}', re.IGNORECASE) -EMAIL_RE = re.compile( - r"""(?<!//) - (([-!#$%&'*+/=?^_`{}|~0-9A-Z]+ - (\.[-!#$%&'*+/=?^_`{}|~0-9A-Z]+)* # dot-atom - |^"([\001-\010\013\014\016-\037!#-\[\]-\177] - |\\[\001-\011\013\014\016-\177])*" # quoted-string - )@(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}) # domain - """, - re.IGNORECASE | re.MULTILINE | re.VERBOSE) +def build_email_re(tlds=TLDS): + """Builds the email regex used by linkifier + + If you want a different set of tlds, pass those in and stomp on the existing ``email_re``:: + + from bleach import linkifier + + my_email_re = linkifier.build_email_re(my_tlds_list) + + linker = LinkifyFilter(email_re=my_url_re) + + """ + # open and closing braces doubled below for format string + return re.compile( + r"""(?<!//) + (([-!#$%&'*+/=?^_`{{}}|~0-9A-Z]+ + (\.[-!#$%&'*+/=?^_`{{}}|~0-9A-Z]+)* # dot-atom + |^"([\001-\010\013\014\016-\037!#-\[\]-\177] + |\\[\001-\011\013\014\016-\177])*" # quoted-string + )@(?:[A-Z0-9](?:[A-Z0-9-]{{0,61}}[A-Z0-9])?\.)+(?:{0})) # domain + """.format('|'.join(tlds)), + re.IGNORECASE | re.MULTILINE | re.VERBOSE) + + +EMAIL_RE = build_email_re() class Linker(object): @@ -149,7 +165,7 @@ text = force_unicode(text) if not text: - return u'' + return '' dom = self.parser.parseFragment(text) filtered = LinkifyFilter( @@ -241,7 +257,7 @@ # linkify callables. # # I'm not really sure how else to support that ``_text`` fauxttribute and - # maintain some modicum of backwards compatability with previous versions + # maintain some modicum of backwards compatibility with previous versions # of Bleach. out = [] @@ -250,7 +266,7 @@ if token_type in ['Characters', 'SpaceCharacters']: out.append(token['data']) - return u''.join(out) + return ''.join(out) def handle_email_addresses(self, src_iter): """Handle email addresses in character tokens""" @@ -264,31 +280,31 @@ for match in self.email_re.finditer(text): if match.start() > end: new_tokens.append( - {u'type': u'Characters', u'data': text[end:match.start()]} + {'type': 'Characters', 'data': text[end:match.start()]} ) # Run attributes through the callbacks to see what we # should do with this match attrs = { - (None, u'href'): u'mailto:%s' % match.group(0), - u'_text': match.group(0) + (None, 'href'): 'mailto:%s' % match.group(0), + '_text': match.group(0) } attrs = self.apply_callbacks(attrs, True) if attrs is None: # Just add the text--but not as a link new_tokens.append( - {u'type': u'Characters', u'data': match.group(0)} + {'type': 'Characters', 'data': match.group(0)} ) else: # Add an "a" tag for the new link - _text = attrs.pop(u'_text', '') + _text = attrs.pop('_text', '') attrs = alphabetize_attributes(attrs) new_tokens.extend([ - {u'type': u'StartTag', u'name': u'a', u'data': attrs}, - {u'type': u'Characters', u'data': force_unicode(_text)}, - {u'type': u'EndTag', u'name': 'a'} + {'type': 'StartTag', 'name': 'a', 'data': attrs}, + {'type': 'Characters', 'data': force_unicode(_text)}, + {'type': 'EndTag', 'name': 'a'} ]) end = match.end() @@ -296,7 +312,7 @@ # Yield the adjusted set of tokens and then continue # through the loop if end < len(text): - new_tokens.append({u'type': u'Characters', u'data': text[end:]}) + new_tokens.append({'type': 'Characters', 'data': text[end:]}) for new_token in new_tokens: yield new_token @@ -316,12 +332,12 @@ while fragment: # Try removing ( from the beginning and, if it's balanced, from the # end, too - if fragment.startswith(u'('): - prefix = prefix + u'(' + if fragment.startswith('('): + prefix = prefix + '(' fragment = fragment[1:] - if fragment.endswith(u')'): - suffix = u')' + suffix + if fragment.endswith(')'): + suffix = ')' + suffix fragment = fragment[:-1] continue @@ -331,21 +347,21 @@ # # "i looked at the site (at http://example.com)" - if fragment.endswith(u')') and u'(' not in fragment: + if fragment.endswith(')') and '(' not in fragment: fragment = fragment[:-1] - suffix = u')' + suffix + suffix = ')' + suffix continue # Handle commas - if fragment.endswith(u','): + if fragment.endswith(','): fragment = fragment[:-1] - suffix = u',' + suffix + suffix = ',' + suffix continue # Handle periods - if fragment.endswith(u'.'): + if fragment.endswith('.'): fragment = fragment[:-1] - suffix = u'.' + suffix + suffix = '.' + suffix continue # Nothing matched, so we're done @@ -374,7 +390,7 @@ for match in self.url_re.finditer(text): if match.start() > end: new_tokens.append( - {u'type': u'Characters', u'data': text[end:match.start()]} + {'type': 'Characters', 'data': text[end:match.start()]} ) url = match.group(0) @@ -388,39 +404,39 @@ if PROTO_RE.search(url): href = url else: - href = u'http://%s' % url + href = 'http://%s' % url attrs = { - (None, u'href'): href, - u'_text': url + (None, 'href'): href, + '_text': url } attrs = self.apply_callbacks(attrs, True) if attrs is None: # Just add the text new_tokens.append( - {u'type': u'Characters', u'data': prefix + url + suffix} + {'type': 'Characters', 'data': prefix + url + suffix} ) else: # Add the "a" tag! if prefix: new_tokens.append( - {u'type': u'Characters', u'data': prefix} + {'type': 'Characters', 'data': prefix} ) - _text = attrs.pop(u'_text', '') + _text = attrs.pop('_text', '') attrs = alphabetize_attributes(attrs) new_tokens.extend([ - {u'type': u'StartTag', u'name': u'a', u'data': attrs}, - {u'type': u'Characters', u'data': force_unicode(_text)}, - {u'type': u'EndTag', u'name': 'a'}, + {'type': 'StartTag', 'name': 'a', 'data': attrs}, + {'type': 'Characters', 'data': force_unicode(_text)}, + {'type': 'EndTag', 'name': 'a'}, ]) if suffix: new_tokens.append( - {u'type': u'Characters', u'data': suffix} + {'type': 'Characters', 'data': suffix} ) end = match.end() @@ -429,7 +445,7 @@ # Yield the adjusted set of tokens and then continue # through the loop if end < len(text): - new_tokens.append({u'type': u'Characters', u'data': text[end:]}) + new_tokens.append({'type': 'Characters', 'data': text[end:]}) for new_token in new_tokens: yield new_token diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/bleach/sanitizer.py new/bleach-3.1.3/bleach/sanitizer.py --- old/bleach-3.1.1/bleach/sanitizer.py 2020-02-13 20:19:16.000000000 +0100 +++ new/bleach-3.1.3/bleach/sanitizer.py 2020-03-17 16:26:03.000000000 +0100 @@ -162,7 +162,7 @@ raise TypeError(message) if not text: - return u'' + return '' text = force_unicode(text) @@ -408,7 +408,7 @@ new_tokens.append({'type': 'Entity', 'name': entity}) # Length of the entity plus 2--one for & at the beginning - # and and one for ; at the end + # and one for ; at the end remainder = part[len(entity) + 2:] if remainder: new_tokens.append({'type': 'Characters', 'data': remainder}) @@ -528,7 +528,7 @@ continue # If it's a style attribute, sanitize it - if namespaced_name == (None, u'style'): + if namespaced_name == (None, 'style'): val = self.sanitize_css(val) # At this point, we want to keep the attribute, so add it in @@ -593,7 +593,8 @@ # the whole thing. parts = style.split(';') gauntlet = re.compile( - r"""^([-/:,#%.'"\sa-zA-Z0-9!]|\w-\w|'[\s\w]+'\s*|"[\s\w]+"|\([\d,%\.\s]+\))*$""" + r"""^([-/:,#%.'"\s!\w]|\w-\w|'[\s\w]+'\s*|"[\s\w]+"|\([\d,%\.\s]+\))*$""", + flags=re.U ) for part in parts: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/bleach.egg-info/PKG-INFO new/bleach-3.1.3/bleach.egg-info/PKG-INFO --- old/bleach-3.1.1/bleach.egg-info/PKG-INFO 2020-02-19 18:39:45.000000000 +0100 +++ new/bleach-3.1.3/bleach.egg-info/PKG-INFO 2020-03-17 16:29:17.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 1.2 Name: bleach -Version: 3.1.1 +Version: 3.1.3 Summary: An easy safelist-based HTML-sanitizing tool. Home-page: https://github.com/mozilla/bleach Maintainer: Will Kahn-Greene @@ -38,7 +38,6 @@ :Code: https://github.com/mozilla/bleach :Documentation: https://bleach.readthedocs.io/ :Issue tracker: https://github.com/mozilla/bleach/issues - :IRC: ``#bleach`` on irc.mozilla.org :License: Apache License v2; see LICENSE file @@ -105,29 +104,87 @@ u'an <script>evil()</script> example' >>> bleach.linkify('an http://example.com url') - u'an <a href="http://example.com"; rel="nofollow">http://example.com</a> url + u'an <a href="http://example.com"; rel="nofollow">http://example.com</a> url' - Code of conduct + Code of Conduct =============== This project and repository is governed by Mozilla's code of conduct and - etiquette guidelines. For more details please see the `Mozilla Community - Participation Guidelines - <https://www.mozilla.org/about/governance/policies/participation/>`_ and - `Developer Etiquette Guidelines - <https://bugzilla.mozilla.org/page.cgi?id=etiquette.html>`_. + etiquette guidelines. For more details please see the `CODE_OF_CONDUCT.md + </CODE_OF_CONDUCT.md>`_ .. _html5lib: https://github.com/html5lib/html5lib-python .. _GitHub: https://github.com/mozilla/bleach .. _ReadTheDocs: https://bleach.readthedocs.io/ - .. _PyPI: http://pypi.python.org/pypi/bleach + .. _PyPI: https://pypi.org/project/bleach/ Bleach changes ============== + Version 3.1.3 (March 17th, 2020) + -------------------------------- + + **Security fixes** + + None + + **Backwards incompatible changes** + + None + + **Features** + + * Add relative link to code of conduct. (#442) + + * Drop deprecated 'setup.py test' support. (#507) + + * Fix typo: curren -> current in tests/test_clean.py (#504) + + * Test on PyPy 7 + + * Drop test support for end of life Python 3.4 + + **Bug fixes** + + None + + Version 3.1.2 (March 11th, 2020) + -------------------------------- + + **Security fixes** + + * ``bleach.clean`` behavior parsing embedded MathML and SVG content + with RCDATA tags did not match browser behavior and could result in + a mutation XSS. + + Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or + ``svg`` tags and one or more of the RCDATA tags ``script``, + ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or + ``xmp`` in the allowed tags whitelist were vulnerable to a mutation + XSS. + + This security issue was confirmed in Bleach version v3.1.1. Earlier + versions are likely affected too. + + Anyone using Bleach <=v3.1.1 is encouraged to upgrade. + + https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 + + **Backwards incompatible changes** + + None + + **Features** + + None + + **Bug fixes** + + None + Version 3.1.1 (February 13th, 2020) ----------------------------------- @@ -767,11 +824,11 @@ Classifier: Programming Language :: Python :: 2 Classifier: Programming Language :: Python :: 2.7 Classifier: Programming Language :: Python :: 3 -Classifier: Programming Language :: Python :: 3.4 Classifier: Programming Language :: Python :: 3.5 Classifier: Programming Language :: Python :: 3.6 Classifier: Programming Language :: Python :: 3.7 +Classifier: Programming Language :: Python :: 3.8 Classifier: Programming Language :: Python :: Implementation :: CPython Classifier: Programming Language :: Python :: Implementation :: PyPy Classifier: Topic :: Software Development :: Libraries :: Python Modules -Requires-Python: >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.* +Requires-Python: >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.* diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/docs/clean.rst new/bleach-3.1.3/docs/clean.rst --- old/bleach-3.1.1/docs/clean.rst 2020-02-13 20:19:16.000000000 +0100 +++ new/bleach-3.1.3/docs/clean.rst 2020-03-17 16:26:03.000000000 +0100 @@ -34,7 +34,7 @@ This is a **not safe** use of ``clean`` output in an HTML attribute:: - <body data-bio="{{ bleach.clean(user_bio} }}"> + <body data-bio="{{ bleach.clean(user_bio) }}"> If you need to use the output of ``bleach.clean()`` in an HTML attribute, you diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/docs/dev.rst new/bleach-3.1.3/docs/dev.rst --- old/bleach-3.1.1/docs/dev.rst 2020-02-13 20:19:16.000000000 +0100 +++ new/bleach-3.1.3/docs/dev.rst 2020-03-17 16:26:03.000000000 +0100 @@ -102,4 +102,4 @@ That will push the release to PyPI. -12. Blog posts, twitter, update topic in ``#bleach``, etc. +12. Blog posts, twitter, etc. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/docs/goals.rst new/bleach-3.1.3/docs/goals.rst --- old/bleach-3.1.1/docs/goals.rst 2020-02-13 17:31:31.000000000 +0100 +++ new/bleach-3.1.3/docs/goals.rst 2020-03-17 16:26:03.000000000 +0100 @@ -59,6 +59,10 @@ creation, alteration, and removal of links based on an extremely wide range of use cases. +Bleach does not try to verify the validity or safety of the domains +linked to beyond being well-formed (see :ref:`Linkifying text +fragments <linkify-chapter>` for details). + Non-Goals ========= @@ -90,7 +94,7 @@ This is a **not safe** use of ``clean`` output in an HTML attribute:: - <body data-bio="{{ bleach.clean(user_bio} }}"> + <body data-bio="{{ bleach.clean(user_bio) }}"> If you need to use the output of ``bleach.clean()`` in an HTML attribute, you diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/docs/linkify.rst new/bleach-3.1.3/docs/linkify.rst --- old/bleach-3.1.1/docs/linkify.rst 2020-02-13 20:19:16.000000000 +0100 +++ new/bleach-3.1.3/docs/linkify.rst 2020-03-17 16:26:03.000000000 +0100 @@ -26,9 +26,22 @@ You may pass a ``string`` or ``unicode`` object, but Bleach will always return ``unicode``. +.. note:: -.. autofunction:: bleach.linkify + By default `linkify` **does not** attempt to protect users from bad + or deceptive links including: + + * links to malicious or deceptive domains + * shortened or tracking links + * deceptive links using internationalized domain names (IDN) that + resemble legitimate domains for `IDN homograph attacks + <https://en.wikipedia.org/wiki/IDN_homograph_attack>`_ (font + styling, background color, and other context is unavailable) + We recommend using additional callbacks or other controls to check + these properties. + +.. autofunction:: bleach.linkify Callbacks for adjusting attributes (``callbacks``) ================================================== @@ -311,6 +324,65 @@ 'a b c <a href="http://example.com"; rel="nofollow">http://example.com</a> d e f' +It includes optional keyword arguments to specify allowed top-level +domains (TLDs) and URL protocols/schemes: + +.. doctest:: + + >>> from bleach.linkifier import Linker, build_url_re + + >>> only_fish_tld_url_re = build_url_re(tlds=['fish']) + >>> linker = Linker(url_re=only_fish_tld_url_re) + + >>> linker.linkify('com TLD does not link https://example.com') + 'com TLD does not link https://example.com' + >>> linker.linkify('fish TLD links https://example.fish') + 'fish TLD links <a href="https://example.fish"; rel="nofollow">https://example.fish</a>' + + + >>> only_https_url_re = build_url_re(protocols=['https']) + >>> linker = Linker(url_re=only_https_url_re) + + >>> linker.linkify('gopher does not link gopher://example.link') + 'gopher does not link gopher://example.link' + >>> linker.linkify('https links https://example.com/') + 'https links <a href="https://example.com/"; rel="nofollow">https://example.com/</a>' + + +Specify localized TLDs with and without punycode encoding to handle +both formats: + +.. doctest:: + + >>> from bleach.linkifier import Linker, build_url_re + + >>> linker = Linker(url_re=build_url_re(tlds=['рф'])) + >>> linker.linkify('https://xn--80aaksdi3bpu.xn--p1ai/ https://дайтрафик.рф/') + 'https://xn--80aaksdi3bpu.xn--p1ai/ <a href="https://дайтрафик.рф/"; rel="nofollow">https://дайтрафик.рф/</a>' + + >>> puny_linker = Linker(url_re=build_url_re(tlds=['рф', 'xn--p1ai'])) + >>> puny_linker.linkify('https://xn--80aaksdi3bpu.xn--p1ai/ https://дайтрафик.рф/') + '<a href="https://xn--80aaksdi3bpu.xn--p1ai/"; rel="nofollow">https://xn--80aaksdi3bpu.xn--p1ai/</a> <a href="https://дайтрафик.рф/"; rel="nofollow">https://дайтрафик.рф/</a>' + + +Similarly, using ``build_email_re`` with the ``email_re`` argument to +customize recognized email TLDs: + +.. doctest:: + + >>> from bleach.linkifier import Linker, build_email_re + + >>> only_fish_tld_url_re = build_email_re(tlds=['fish']) + >>> linker = Linker(email_re=only_fish_tld_url_re, parse_email=True) + + >>> linker.linkify('does not link email: [email protected]') + 'does not link email: [email protected]' + >>> linker.linkify('links email [email protected]') + 'links email <a href="mailto:[email protected]";>[email protected]</a>' + + +:ref:`LinkifyFilter <linkify-LinkifyFilter>` also accepts these options. + .. autoclass:: bleach.linkifier.Linker :members: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/requirements-dev.txt new/bleach-3.1.3/requirements-dev.txt --- old/bleach-3.1.1/requirements-dev.txt 2020-02-13 20:19:16.000000000 +0100 +++ new/bleach-3.1.3/requirements-dev.txt 2020-03-17 15:33:48.000000000 +0100 @@ -11,3 +11,6 @@ # Requirements for updating package twine + +# Requirements for running setup.py bdist_wheel +wheel diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/scripts/run_tests.sh new/bleach-3.1.3/scripts/run_tests.sh --- old/bleach-3.1.1/scripts/run_tests.sh 2020-02-13 20:19:16.000000000 +0100 +++ new/bleach-3.1.3/scripts/run_tests.sh 2020-03-17 16:26:03.000000000 +0100 @@ -16,6 +16,8 @@ flake8 bleach/ ;; vendorverify) ./scripts/vendor_verify.sh ;; + docs) + tox -e docs ;; *) echo "Unknown mode $MODE." exit 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/setup.cfg new/bleach-3.1.3/setup.cfg --- old/bleach-3.1.1/setup.cfg 2020-02-19 18:39:45.758497500 +0100 +++ new/bleach-3.1.3/setup.cfg 2020-03-17 16:29:18.039319300 +0100 @@ -1,6 +1,3 @@ -[aliases] -test = pytest - [flake8] exclude = .git/, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/setup.py new/bleach-3.1.3/setup.py --- old/bleach-3.1.1/setup.py 2020-02-13 20:19:16.000000000 +0100 +++ new/bleach-3.1.3/setup.py 2020-03-17 16:26:03.000000000 +0100 @@ -1,22 +1,12 @@ #!/usr/bin/env python -import codecs +import io import os import re -import sys from setuptools import setup, find_packages -setup_requires = [] -if 'test' in sys.argv: - # Only add pytest-runner to setup_requires if running tests - setup_requires.append('pytest-runner>=2.0,<3dev') - -tests_require = [ - 'pytest>=3.0.0', -] - install_requires = [ 'six>=1.9.0', # html5lib requirements @@ -25,16 +15,19 @@ def get_long_desc(): - desc = codecs.open('README.rst', encoding='utf-8').read() + with io.open('README.rst', encoding='utf-8') as fp: + desc = fp.read() desc += '\n\n' - desc += codecs.open('CHANGES', encoding='utf-8').read() + with io.open('CHANGES', encoding='utf-8') as fp: + desc += fp.read() return desc def get_version(): fn = os.path.join('bleach', '__init__.py') vsre = r"""^__version__ = ['"]([^'"]*)['"]""" - version_file = codecs.open(fn, mode='r', encoding='utf-8').read() + with io.open(fn, encoding='utf-8') as fp: + version_file = fp.read() return re.search(vsre, version_file, re.M).group(1) @@ -51,10 +44,8 @@ include_package_data=True, package_data={'': ['README.rst']}, zip_safe=False, - python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*', + python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*', install_requires=install_requires, - setup_requires=setup_requires, - tests_require=tests_require, classifiers=[ 'Development Status :: 5 - Production/Stable', 'Environment :: Web Environment', @@ -65,10 +56,10 @@ 'Programming Language :: Python :: 2', 'Programming Language :: Python :: 2.7', 'Programming Language :: Python :: 3', - 'Programming Language :: Python :: 3.4', 'Programming Language :: Python :: 3.5', 'Programming Language :: Python :: 3.6', 'Programming Language :: Python :: 3.7', + 'Programming Language :: Python :: 3.8', 'Programming Language :: Python :: Implementation :: CPython', 'Programming Language :: Python :: Implementation :: PyPy', 'Topic :: Software Development :: Libraries :: Python Modules', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/tests/test_callbacks.py new/bleach-3.1.3/tests/test_callbacks.py --- old/bleach-3.1.1/tests/test_callbacks.py 2020-02-13 17:31:31.000000000 +0100 +++ new/bleach-3.1.3/tests/test_callbacks.py 2020-03-17 16:26:03.000000000 +0100 @@ -1,3 +1,5 @@ +from __future__ import unicode_literals + from bleach.callbacks import nofollow, target_blank @@ -45,19 +47,19 @@ assert target_blank(attrs) == attrs def test_mailto(self): - attrs = {(None, u'href'): u'mailto:[email protected]'} + attrs = {(None, 'href'): 'mailto:[email protected]'} assert target_blank(attrs) == attrs def test_add_target(self): - attrs = {(None, u'href'): u'http://example.com'} + attrs = {(None, 'href'): 'http://example.com'} assert ( target_blank(attrs) == - {(None, u'href'): u'http://example.com', (None, u'target'): u'_blank'} + {(None, 'href'): 'http://example.com', (None, 'target'): '_blank'} ) def test_stomp_target(self): - attrs = {(None, u'href'): u'http://example.com', (None, u'target'): u'foo'} + attrs = {(None, 'href'): 'http://example.com', (None, 'target'): 'foo'} assert ( target_blank(attrs) == - {(None, u'href'): 'http://example.com', (None, u'target'): u'_blank'} + {(None, 'href'): 'http://example.com', (None, 'target'): '_blank'} ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/tests/test_clean.py new/bleach-3.1.3/tests/test_clean.py --- old/bleach-3.1.1/tests/test_clean.py 2020-02-19 18:34:36.000000000 +0100 +++ new/bleach-3.1.3/tests/test_clean.py 2020-03-17 16:26:03.000000000 +0100 @@ -1,3 +1,5 @@ +from __future__ import unicode_literals + import os import pytest @@ -5,7 +7,7 @@ from bleach import clean from bleach.html5lib_shim import Filter from bleach.sanitizer import Cleaner - +from bleach._vendor.html5lib.constants import rcdataElements def test_clean_idempotent(): """Make sure that applying the filter twice doesn't change anything.""" @@ -22,11 +24,11 @@ with pytest.raises(TypeError) as e: clean(some_type) - assert "argument cannot be of 'type' type" in str(e) + assert "argument cannot be of 'type' type" in str(e.value) with pytest.raises(TypeError) as e: clean(no_type) - assert "NoneType" in str(e) + assert "NoneType" in str(e.value) def test_empty(): @@ -218,7 +220,7 @@ ('this & that', 'this &amp that'), # Test a thing that looks like a character entity, but isn't because it's - # missing a ; (¤) + # missing a ; (¤t) ( 'http://example.com?active=true¤t=true', 'http://example.com?active=true&current=true' @@ -471,10 +473,10 @@ ATTRS = lambda tag, name, val: name == 'title' TAGS = ['a'] - text = u'<a href="/foo" title="blah">example</a>' + text = '<a href="/foo" title="blah">example</a>' assert ( clean(text, tags=TAGS, attributes=ATTRS) == - u'<a title="blah">example</a>' + '<a title="blah">example</a>' ) @@ -501,8 +503,8 @@ TAGS = ['a'] assert ( - clean(u'<a href="/foo" title="blah">example</a>', tags=TAGS, attributes=ATTRS) == - u'<a title="blah">example</a>' + clean('<a href="/foo" title="blah">example</a>', tags=TAGS, attributes=ATTRS) == + '<a title="blah">example</a>' ) @@ -519,12 +521,12 @@ text = 'foo <img src="http://example.com"; alt="blah"> baz' assert ( clean(text, tags=TAGS, attributes=ATTRS) == - u'foo <img> baz' + 'foo <img> baz' ) text = 'foo <img src="https://example.com"; alt="blah"> baz' assert ( clean(text, tags=TAGS, attributes=ATTRS) == - u'foo <img src="https://example.com";> baz' + 'foo <img src="https://example.com";> baz' ) @@ -536,8 +538,8 @@ TAGS = ['a'] assert ( - clean(u'<a href="/foo" title="blah">example</a>', tags=TAGS, attributes=ATTRS) == - u'<a title="blah">example</a>' + clean('<a href="/foo" title="blah">example</a>', tags=TAGS, attributes=ATTRS) == + '<a title="blah">example</a>' ) @@ -546,10 +548,10 @@ ATTRS = ['title'] TAGS = ['a'] - text = u'<a href="/foo" title="blah">example</a>' + text = '<a href="/foo" title="blah">example</a>' assert ( clean(text, tags=TAGS, attributes=ATTRS) == - u'<a title="blah">example</a>' + '<a title="blah">example</a>' ) @@ -787,7 +789,7 @@ ( raw_tag, "<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag, - "<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag, + "<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag, ) for raw_tag in _raw_tags ], @@ -797,6 +799,29 @@ assert clean(data, tags=["noscript", raw_tag]) == expected [email protected]( + "namespace_tag, rc_data_element_tag, data, expected", + [ + ( + namespace_tag, + rc_data_element_tag, + "<%s><%s><img src=x onerror=alert(1)>" % (namespace_tag, rc_data_element_tag), + "<%s><%s><img src=x onerror=alert(1)></%s></%s>" % (namespace_tag, rc_data_element_tag, rc_data_element_tag, namespace_tag), + ) + for namespace_tag in ["math", "svg"] + # https://dev.w3.org/html5/html-author/#rcdata-elements + # https://html.spec.whatwg.org/index.html#parsing-html-fragments + # in html5lib: 'style', 'script', 'xmp', 'iframe', 'noembed', 'noframes', and 'noscript' + for rc_data_element_tag in rcdataElements + ], +) +def test_namespace_rc_data_element_strip_false(namespace_tag, rc_data_element_tag, data, expected): + # refs: bug 1621692 / GHSA-m6xf-fq7q-8743 + # + # browsers will pull the img out of the namespace and rc data tag resulting in XSS + assert clean(data, tags=[namespace_tag, rc_data_element_tag], strip=False) == expected + + def get_ids_and_tests(): """Retrieves regression tests from data/ directory @@ -811,10 +836,11 @@ # Sort numerically which makes it easier to iterate through them tests.sort(key=lambda x: int(os.path.basename(x).split('.', 1)[0])) - testcases = [ - (os.path.basename(fn), open(fn, 'r').read()) - for fn in tests - ] + testcases = [] + for fn in tests: + with open(fn) as fp: + data = fp.read() + testcases.append((os.path.basename(fn), data)) return testcases diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/tests/test_css.py new/bleach-3.1.3/tests/test_css.py --- old/bleach-3.1.1/tests/test_css.py 2020-02-13 20:19:16.000000000 +0100 +++ new/bleach-3.1.3/tests/test_css.py 2020-03-17 16:26:03.000000000 +0100 @@ -1,3 +1,5 @@ +from __future__ import unicode_literals + from functools import partial import pytest @@ -10,69 +12,73 @@ @pytest.mark.parametrize('data, styles, expected', [ ( - 'font-family: Arial; color: red; float: left; background-color: red;', + '<p style="font-family: Arial; color: red; float: left; background-color: red;">bar</p>', ['color'], - 'color: red;' + '<p style="color: red;">bar</p>' ), ( - 'border: 1px solid blue; color: red; float: left;', + '<p style="border: 1px solid blue; color: red; float: left;">bar</p>', ['color'], - 'color: red;' + '<p style="color: red;">bar</p>' ), ( - 'border: 1px solid blue; color: red; float: left;', + '<p style="border: 1px solid blue; color: red; float: left;">bar</p>', ['color', 'float'], - 'color: red; float: left;' + '<p style="color: red; float: left;">bar</p>' ), ( - 'color: red; float: left; padding: 1em;', + '<p style="color: red; float: left; padding: 1em;">bar</p>', ['color', 'float'], - 'color: red; float: left;' + '<p style="color: red; float: left;">bar</p>' ), ( - 'color: red; float: left; padding: 1em;', + '<p style="color: red; float: left; padding: 1em;">bar</p>', ['color'], - 'color: red;' + '<p style="color: red;">bar</p>' ), + # Handle leading - in attributes ( - 'cursor: -moz-grab;', + '<p style="cursor: -moz-grab;">bar</p>', ['cursor'], - 'cursor: -moz-grab;' + '<p style="cursor: -moz-grab;">bar</p>' ), + # Handle () in attributes ( - 'color: hsl(30,100%,50%);', + '<p style="color: hsl(30,100%,50%);">bar</p>', ['color'], - 'color: hsl(30,100%,50%);' + '<p style="color: hsl(30,100%,50%);">bar</p>', ), ( - 'color: rgba(255,0,0,0.4);', + '<p style="color: rgba(255,0,0,0.4);">bar</p>', ['color'], - 'color: rgba(255,0,0,0.4);' + '<p style="color: rgba(255,0,0,0.4);">bar</p>', ), + # Handle ' in attributes ( - "text-overflow: ',' ellipsis;", + '<p style="text-overflow: \',\' ellipsis;">bar</p>', ['text-overflow'], - "text-overflow: ',' ellipsis;" + '<p style="text-overflow: \',\' ellipsis;">bar</p>' ), + # Handle " in attributes ( - 'text-overflow: "," ellipsis;', + '<p style=\'text-overflow: "," ellipsis;\'>bar</p>', ['text-overflow'], - 'text-overflow: "," ellipsis;' + '<p style=\'text-overflow: "," ellipsis;\'>bar</p>' ), ( - 'font-family: "Arial";', + '<p style=\'font-family: "Arial";\'>bar</p>', ['font-family'], - 'font-family: "Arial";' + '<p style=\'font-family: "Arial";\'>bar</p>' + ), + # Handle non-ascii characters in attributes + ( + '<p style="font-family: \u30e1\u30a4\u30ea\u30aa; color: blue;">bar</p>', + ['color'], + '<p style="color: blue;">bar</p>' ), ]) def test_allowed_css(data, styles, expected): - p_single = '<p style="{0!s}">bar</p>' - p_double = "<p style='{0!s}'>bar</p>" - - if '"' in data: - assert clean(p_double.format(data), styles=styles) == p_double.format(expected) - else: - assert clean(p_single.format(data), styles=styles) == p_single.format(expected) + assert clean(data, styles=styles) == expected def test_valid_css(): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/tests/test_html5lib_shim.py new/bleach-3.1.3/tests/test_html5lib_shim.py --- old/bleach-3.1.1/tests/test_html5lib_shim.py 2020-02-13 20:19:16.000000000 +0100 +++ new/bleach-3.1.3/tests/test_html5lib_shim.py 2020-03-17 16:26:03.000000000 +0100 @@ -1,3 +1,5 @@ +from __future__ import unicode_literals + import pytest from bleach import html5lib_shim @@ -9,7 +11,7 @@ ('abc', 'abc'), # Handles character entities--both named and numeric - (' ', u'\xa0'), + (' ', '\xa0'), (' ', ' '), (' ', ' '), @@ -115,6 +117,12 @@ {}, '<a href=\'http://example.com\'\'>', '<a href="http://example.com";></a>' + ), + # Test that "expected-closing-tag-but-got-char" works when tags is None + ( + {}, + '</ chars', + '<!-- chars-->', ) ]) def test_bleach_html_parser(parser_args, data, expected): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/tests/test_linkify.py new/bleach-3.1.3/tests/test_linkify.py --- old/bleach-3.1.1/tests/test_linkify.py 2020-02-13 20:19:16.000000000 +0100 +++ new/bleach-3.1.3/tests/test_linkify.py 2020-03-17 16:26:03.000000000 +0100 @@ -1,3 +1,5 @@ +from __future__ import unicode_literals + import re import pytest @@ -190,7 +192,7 @@ """We can set random attributes on links.""" def set_attr(attrs, new=False): - attrs[(None, u'rev')] = u'canonical' + attrs[(None, 'rev')] = 'canonical' return attrs assert ( @@ -562,14 +564,14 @@ @pytest.mark.parametrize('text, expected', [ - (u'<br>', u'<br>'), + ('<br>', '<br>'), ( - u'<br> http://example.com', - u'<br> <a href="http://example.com"; rel="nofollow">http://example.com</a>' + '<br> http://example.com', + '<br> <a href="http://example.com"; rel="nofollow">http://example.com</a>' ), ( - u'<br> <br> http://example.com', - u'<br> <br> <a href="http://example.com"; rel="nofollow">http://example.com</a>' + '<br> <br> http://example.com', + '<br> <br> <a href="http://example.com"; rel="nofollow">http://example.com</a>' ) ]) def test_naughty_unescaping(text, expected): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/tests_website/open_test_page.py new/bleach-3.1.3/tests_website/open_test_page.py --- old/bleach-3.1.1/tests_website/open_test_page.py 2020-02-13 17:31:31.000000000 +0100 +++ new/bleach-3.1.3/tests_website/open_test_page.py 2020-03-17 16:26:03.000000000 +0100 @@ -3,7 +3,7 @@ import webbrowser -TEST_BROWSERS = set([ +TEST_BROWSERS = { # 'mozilla', 'firefox', # 'netscape', @@ -27,7 +27,7 @@ 'chrome', # 'chromium', # 'chromium-browser', -]) +} REGISTERED_BROWSERS = set(webbrowser._browsers.keys()) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bleach-3.1.1/tox.ini new/bleach-3.1.3/tox.ini --- old/bleach-3.1.1/tox.ini 2020-02-13 20:19:16.000000000 +0100 +++ new/bleach-3.1.3/tox.ini 2020-03-17 16:26:03.000000000 +0100 @@ -1,26 +1,14 @@ -# Tox (http://tox.testrun.org/) is a tool for running tests -# in multiple virtualenvs. This configuration file will run the -# test suite on all supported python versions. To use it, "pip install tox" -# and then run "tox" from this directory. - # Note: If you update this, make sure to update .travis.yml, too. [tox] envlist = - py{27,34,35,36,37} - pypy - py{27,34,35,36,37}-build-no-lang + py{27,35,36,37,38,py,py3} + py{27,35,36,37,38}-build-no-lang docs lint vendorverify [testenv] -basepython = - py27: python2.7 - py34: python3.4 - py35: python3.5 - py36: python3.6 - py37: python3.7 deps = -rrequirements-dev.txt commands = @@ -28,35 +16,24 @@ python setup.py build [testenv:py27-build-no-lang] -basepython = python2.7 -setenv = - LANG= -commands = - python setup.py build - -[testenv:py34-build-no-lang] -basepython = python3.4 setenv = LANG= commands = python setup.py build [testenv:py35-build-no-lang] -basepython = python3.5 setenv = LANG= commands = python setup.py build [testenv:py36-build-no-lang] -basepython = python3.6 setenv = LANG= commands = python setup.py build [testenv:py37-build-no-lang] -basepython = python3.7 setenv = LANG= commands = @@ -85,3 +62,4 @@ -rrequirements-dev.txt commands = sphinx-build -b html -d {envtmpdir}/doctrees . {envtmpdir}/html + sphinx-build -b doctest -d {envtmpdir}/doctrees . {envtmpdir}/doctest ++++++ de-vendor.patch ++++++ --- /var/tmp/diff_new_pack.NyFNLB/_old 2020-03-27 00:28:22.252350214 +0100 +++ /var/tmp/diff_new_pack.NyFNLB/_new 2020-03-27 00:28:22.252350214 +0100 @@ -1,5 +1,5 @@ ---- bleach-3.1.0/bleach/html5lib_shim.py.orig 2019-03-03 16:10:33.148796311 +0700 -+++ bleach-3.1.0/bleach/html5lib_shim.py 2019-03-03 16:11:07.945088029 +0700 +--- bleach/html5lib_shim.py ++++ bleach/html5lib_shim.py @@ -11,23 +11,23 @@ import six @@ -35,3 +35,14 @@ #: Map of entity name to expanded entity +--- tests/test_clean.py ++++ tests/test_clean.py +@@ -7,7 +7,7 @@ + from bleach import clean + from bleach.html5lib_shim import Filter + from bleach.sanitizer import Cleaner +-from bleach._vendor.html5lib.constants import rcdataElements ++from html5lib.constants import rcdataElements + + def test_clean_idempotent(): + """Make sure that applying the filter twice doesn't change anything."""
