Back to index

moin  1.9.0~rc2
Public Member Functions | Public Attributes | Static Public Attributes
MoinMoin.support.htmlmarkup.HTMLSanitizer Class Reference
Inheritance diagram for MoinMoin.support.htmlmarkup.HTMLSanitizer:
Inheritance graph
[legend]
Collaboration diagram for MoinMoin.support.htmlmarkup.HTMLSanitizer:
Collaboration graph
[legend]

List of all members.

Public Member Functions

def __init__
def handle_starttag
def handle_entityref
def handle_data
def handle_endtag

Public Attributes

 out
 waiting_for

Static Public Attributes

tuple safe_tags
tuple safe_attrs
tuple ignore_tags = frozenset(['html', 'body'])
tuple uri_attrs
tuple safe_schemes

Detailed Description

Definition at line 182 of file htmlmarkup.py.


Constructor & Destructor Documentation

Definition at line 214 of file htmlmarkup.py.

00214 
00215     def __init__(self, out):
00216         HTMLParser.__init__(self)
00217         self.out = out
00218         self.waiting_for = None


Member Function Documentation

Definition at line 271 of file htmlmarkup.py.

00271 
00272     def handle_data(self, data):
00273         if not self.waiting_for:
00274             self.out.write(escape(data, quotes=False))

Definition at line 275 of file htmlmarkup.py.

00275 
00276     def handle_endtag(self, tag):
00277         if tag in self.ignore_tags:
00278             return
00279 
00280         if self.waiting_for:
00281             if self.waiting_for == tag:
00282                 self.waiting_for = None
00283             return
00284         if tag not in _EMPTY_TAGS:
00285             self.out.write('</' + tag + '>')
00286 

Definition at line 267 of file htmlmarkup.py.

00267 
00268     def handle_entityref(self, name):
00269         if not self.waiting_for:
00270             self.out.write('&%s;' % name)

def MoinMoin.support.htmlmarkup.HTMLSanitizer.handle_starttag (   self,
  tag,
  attrs 
)

Definition at line 219 of file htmlmarkup.py.

00219 
00220     def handle_starttag(self, tag, attrs):
00221         if self.waiting_for:
00222             return
00223         if tag in self.ignore_tags:
00224             return
00225         
00226         if tag not in self.safe_tags:
00227             self.waiting_for = tag
00228             return
00229         self.out.write('<' + tag)
00230 
00231         def _get_scheme(text):
00232             if ':' not in text:
00233                 return None
00234             chars = [char for char in text.split(':', 1)[0]
00235                      if char.isalnum()]
00236             return ''.join(chars).lower()
00237 
00238         for attrname, attrval in attrs:
00239             if attrname not in self.safe_attrs:
00240                 continue
00241             elif attrname in self.uri_attrs:
00242                 # Don't allow URI schemes such as "javascript:"
00243                 if _get_scheme(attrval) not in self.safe_schemes:
00244                     continue
00245             elif attrname == 'style':
00246                 # Remove dangerous CSS declarations from inline styles
00247                 decls = []
00248                 for decl in filter(None, attrval.split(';')):
00249                     is_evil = False
00250                     if 'expression' in decl:
00251                         is_evil = True
00252                     for m in re.finditer(r'url\s*\(([^)]+)', decl):
00253                         if _get_scheme(m.group(1)) not in self.safe_schemes:
00254                             is_evil = True
00255                             break
00256                     if not is_evil:
00257                         decls.append(decl.strip())
00258                 if not decls:
00259                     continue
00260                 attrval = '; '.join(decls)
00261             self.out.write(' ' + attrname + '="' + escape(attrval) + '"')
00262 
00263         if tag in _EMPTY_TAGS:
00264             self.out.write(' />')
00265         else:
00266             self.out.write('>')


Member Data Documentation

tuple MoinMoin.support.htmlmarkup.HTMLSanitizer.ignore_tags = frozenset(['html', 'body']) [static]

Definition at line 207 of file htmlmarkup.py.

Definition at line 216 of file htmlmarkup.py.

Initial value:
frozenset(['abbr', 'accept', 'accept-charset',
        'accesskey', 'action', 'align', 'alt', 'axis', 'border', 'bgcolor',
        'cellpadding', 'cellspacing', 'char', 'charoff', 'charset',
        'checked', 'cite', 'class', 'clear', 'cols', 'colspan', 'color',
        'compact', 'coords', 'datetime', 'dir', 'disabled', 'enctype',
        'for', 'frame', 'headers', 'height', 'href', 'hreflang',
        'hspace', 'id', 'ismap', 'label', 'lang', 'longdesc',
        'maxlength', 'media', 'method', 'multiple', 'name', 'nohref',
        'noshade', 'nowrap', 'prompt', 'readonly', 'rel', 'rev', 'rows',
        'rowspan', 'rules', 'scope', 'selected', 'shape', 'size',
        'span', 'src', 'start', 'style', 'summary', 'tabindex',
        'target', 'title', 'type', 'usemap', 'valign', 'value',
        'vspace', 'width'])

Definition at line 194 of file htmlmarkup.py.

Initial value:
frozenset(['file', 'ftp', 'http', 'https', 'mailto',
                              None])

Definition at line 211 of file htmlmarkup.py.

Initial value:
frozenset(['a', 'abbr', 'acronym', 'address', 'area',
        'b', 'big', 'blockquote', 'br', 'button', 'caption', 'center',
        'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dir',
        'div', 'dl', 'dt', 'em', 'fieldset', 'font', 'form', 'h1', 'h2',
        'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'input', 'ins', 'kbd',
        'label', 'legend', 'li', 'map', 'menu', 'ol', 'optgroup',
        'option', 'p', 'pre', 'q', 's', 'samp', 'select', 'small',
        'span', 'strike', 'strong', 'sub', 'sup', 'table', 'tbody',
        'td', 'textarea', 'tfoot', 'th', 'thead', 'tr', 'tt', 'u', 'ul',
        'var'])

Definition at line 184 of file htmlmarkup.py.

Initial value:
frozenset(['action', 'background', 'dynsrc', 'href',
                           'lowsrc', 'src'])

Definition at line 209 of file htmlmarkup.py.

Definition at line 217 of file htmlmarkup.py.


The documentation for this class was generated from the following file: