def getplanned(self):
if self.planned is None:
return None
try:
return HTML(md.convert(self.planned)) | HTMLSanitizer()
except ParseError:
return self.planned
def gettags(self):
if self.tags is None:
return None
try:
return HTML(md.convert(self.tags)) | HTMLSanitizer()
except ParseError:
return self.tags
def comment(self, id, cancel=False, **data):
link = self.data.get(id)
if not link:
raise cherrypy.NotFound()
if cherrypy.request.method == 'POST':
if cancel:
raise cherrypy.HTTPRedirect('/info/%s' % link.id)
form = CommentForm()
try:
data = form.to_python(data)
markup = HTML(data['content']) | HTMLSanitizer()
data['content'] = markup.render('xhtml')
comment = link.add_comment(**data)
if not ajax.is_xhr():
raise cherrypy.HTTPRedirect('/info/%s' % link.id)
return template.render('_comment.html',
comment=comment,
num=len(link.comments))
except Invalid as e:
errors = e.unpack_errors()
else:
errors = {}
if ajax.is_xhr():
stream = template.render('_form.html', link=link, errors=errors)
else:
stream = template.render(link=link, comment=None, errors=errors)
return stream | HTMLFormFiller(data=data)
def render_html(self, data=None):
if data:
html = data.get("html") or None
if html:
html = HTML(html, "UTF-8")
sanitize = HTMLSanitizer(safe_attrs=HTMLSanitizer.SAFE_ATTRS
| set(['style']))
return StringIO.StringIO(html | sanitize).getvalue()
return None
def save(self, encoding=None):
"""validate incoming html using genshi's HTMLSanitizer, throw an error if invalid (ie: anything changed in input)"""
# let creole content go through unverified, the parser will clean it up anyway
if self.blob.markup_language == 'ductus-html5':
html = HTML(self.text)
#TODO: define our own set of acceptable tags/attributes in settings.py
friendly_attrs = set(['data-gentics-aloha-repository', 'data-gentics-aloha-object-id', 'data-macro-name', 'data-tags', 'contenteditable'])
sanitizer = HTMLSanitizer(safe_attrs=HTMLSanitizer.SAFE_ATTRS | friendly_attrs)
safe_html = html | sanitizer
if html.render() != safe_html.render():
raise ValidationError(u'invalid html content')
return super(Wikitext, self).save(encoding)
def html(macro, environ, *pos, **kw):
'''
Returns macro.body through an HTML sanitizer.
Can be used as both a block and inline element.
'''
#We want to make sure that there are no arguments and only a body.
if macro.arg_string or not macro.body:
return None
#Sanitize HTML. html5lib's sanitizer is more secure, but also buggier. So
#we're going to stick with genshi.
sanitizer = HTMLSanitizer(safe_attrs=HTMLSanitizer.SAFE_ATTRS
| set(['style']))
try:
sanitized_html = HTML(macro.body) | sanitizer
except ParseError:
return bldr.tag.p(
'There was an error in parsing the provided HTML. Please make sure that it is valid.',
class_='error')
return Markup(sanitized_html)
def sanitize_html(input):
"""
Sanitizes the given string or markup into text
Example::
>>> html = 'playnice<something>nasty<!-- javascript --></something>'
>>> sanitize_html(html)
'playnice'
>>> html = '<nasty>nasty<!-- javascript --></something>'
>>> sanitize_html(html)
''
>>> html = 'plain'
>>> sanitize_html(html)
'plain'
"""
if not input:
return ''
if type(input) in (types.StringType, types.UnicodeType, types.IntType):
input = HTML(input)
return str(input | HTMLSanitizer())
# Module: html
# Date: 12th July 2010
# Author: James Mills, prologic at shortcircuit dot net dot au
"""HTML Macros
Macros for generating snippets of HTML.
"""
from genshi.input import HTML
from genshi.core import Markup
from genshi.builder import tag
from genshi.filters import HTMLSanitizer
from genshi.output import HTMLSerializer
sanitizer = HTMLSanitizer()
serializer = HTMLSerializer()
from sahriswiki.highlight import highlight
def code(macro, environ, data, *args, **kwargs):
"""Displays a block of text with syntax highlighting in a HTML <pre>.
This macro uses the pygments syntax highlighter to render a block of
text given a specific language. For a list of available languages
that are supported by pygments see:
* [[http://pygments.org/languages/]]
If an invalid language is specified or a lexer cannot be found for the
given language (//given by the lang argument//) then the block of text
will be rendered unhighlighted.
def strip_message(message):
markup = HTML(message) | HTMLSanitizer()
return markup.render('xhtml')