Page Menu
Home
c4science
Search
Configure Global Search
Log In
Files
F64557857
htmlutils.py
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Subscribers
None
File Metadata
Details
File Info
Storage
Attached
Created
Mon, May 27, 18:53
Size
19 KB
Mime Type
text/x-python
Expires
Wed, May 29, 18:53 (2 d)
Engine
blob
Format
Raw Data
Handle
17922323
Attached To
R3600 invenio-infoscience
htmlutils.py
View Options
# -*- coding: utf-8 -*-
##
## This file is part of Invenio.
## Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, CERN.
##
## Invenio is free software; you can redistribute it and/or
## modify it under the terms of the GNU General Public License as
## published by the Free Software Foundation; either version 2 of the
## License, or (at your option) any later version.
##
## Invenio is distributed in the hope that it will be useful, but
## WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
## General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with Invenio; if not, write to the Free Software Foundation, Inc.,
## 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
"""HTML utilities."""
__revision__
=
"$Id$"
from
HTMLParser
import
HTMLParser
from
invenio.config
import
CFG_SITE_URL
from
invenio.textutils
import
indent_text
import
re
import
cgi
try
:
from
invenio.fckeditor
import
fckeditor
fckeditor_available
=
True
except
ImportError
,
e
:
fckeditor_available
=
False
# List of allowed tags (tags that won't create any XSS risk)
cfg_html_buffer_allowed_tag_whitelist
=
(
'a'
,
'p'
,
'br'
,
'blockquote'
,
'strong'
,
'b'
,
'u'
,
'i'
,
'em'
,
'ul'
,
'ol'
,
'li'
,
'sub'
,
'sup'
,
'div'
,
'strike'
)
# List of allowed attributes. Be cautious, some attributes may be risky:
# <p style="background: url(myxss_suite.js)">
cfg_html_buffer_allowed_attribute_whitelist
=
(
'href'
,
'name'
,
'class'
)
## precompile some often-used regexp for speed reasons:
re_html
=
re
.
compile
(
"(?s)<[^>]*>|&#?\w+;"
)
def
nmtoken_from_string
(
text
):
"""
Returns a Nmtoken from a string.
It is useful to produce XHTML valid values for the 'name'
attribute of an anchor.
CAUTION: the function is surjective: 2 different texts might lead to
the same result. This is improbable on a single page.
Nmtoken is the type that is a mixture of characters supported in
attributes such as 'name' in HTML 'a' tag. For example,
<a name="Articles%20%26%20Preprints"> should be tranformed to
<a name="Articles372037263720Preprints"> using this function.
http://www.w3.org/TR/2000/REC-xml-20001006#NT-Nmtoken
Also note that this function filters more characters than
specified by the definition of Nmtoken ('CombiningChar' and
'Extender' charsets are filtered out).
"""
text
=
text
.
replace
(
'-'
,
'--'
)
return
''
.
join
(
[(
((
not
char
.
isalnum
()
and
not
char
in
[
'.'
,
'-'
,
'_'
,
':'
])
and
str
(
ord
(
char
)))
or
char
)
for
char
in
text
]
)
def
escape_html
(
text
,
escape_quotes
=
False
):
"""Escape all HTML tags, avoiding XSS attacks.
< => <
> => >
& => &:
@param text: text to be escaped from HTML tags
@param escape_quotes: if True, escape any quote mark to its HTML entity:
" => "
' => "
"""
text
=
text
.
replace
(
'&'
,
'&'
)
text
=
text
.
replace
(
'<'
,
'<'
)
text
=
text
.
replace
(
'>'
,
'>'
)
if
escape_quotes
:
text
=
text
.
replace
(
'"'
,
'"'
)
text
=
text
.
replace
(
"'"
,
'"'
)
return
text
class
HTMLWasher
(
HTMLParser
):
"""
Creates a washer for HTML, avoiding XSS attacks. See wash function for
details on parameters.
Usage::
from invenio.htmlutils import HTMLWasher
washer = HTMLWasher()
escaped_text = washer.wash(unescaped_text)
Examples::
a.wash('Spam and <b><blink>eggs</blink></b>')
=> 'Spam and <b>eggs</b>'
a.wash('Spam and <b><blink>eggs</blink></b>', True)
=> 'Spam and <b><blink>eggs</blink></b>'
a.wash('Spam and <b><a href="python.org">eggs</u></b>')
=> 'Spam and <b><a href="python.org">eggs</a></b>'
a.wash('Spam and <b><a href="javascript:xss();">eggs</a></b>')
=>'Spam and <b><a href="">eggs</a></b>'
a.wash('Spam and <b><a href="jaVas cRipt:xss();">poilu</a></b>')
=>'Spam and <b><a href="">eggs</a></b>'
"""
silent
=
False
def
__init__
(
self
):
""" Constructor; initializes washer """
HTMLParser
.
__init__
(
self
)
self
.
result
=
''
self
.
render_unallowed_tags
=
False
self
.
allowed_tag_whitelist
=
\
cfg_html_buffer_allowed_tag_whitelist
self
.
allowed_attribute_whitelist
=
\
cfg_html_buffer_allowed_attribute_whitelist
# javascript:
self
.
re_js
=
re
.
compile
(
".*(j|j|J)"
\
"\s*(a|a|A)"
\
"\s*(v|v|V)"
\
"\s*(a|a|A)"
\
"\s*(s|s|S)"
\
"\s*(c|c|C)"
\
"\s*(r|r|R)"
\
"\s*(i|Ã|I)"
\
"\s*(p|p|P)"
\
"\s*(t|p|T)"
\
"\s*(:|:).*"
,
re
.
IGNORECASE
|
re
.
DOTALL
)
# vbscript:
self
.
re_vb
=
re
.
compile
(
".*(v|v|V)"
\
"\s*(b|b|B)"
\
"\s*(s|s|S)"
\
"\s*(c|c|C)"
\
"\s*(r|r|R)"
\
"\s*(i|Ã|I)"
\
"\s*(p|p|P)"
\
"\s*(t|p|T)"
\
"\s*(:|:).*"
,
re
.
IGNORECASE
|
re
.
DOTALL
)
def
wash
(
self
,
html_buffer
,
render_unallowed_tags
=
False
,
allowed_tag_whitelist
=
cfg_html_buffer_allowed_tag_whitelist
,
allowed_attribute_whitelist
=
\
cfg_html_buffer_allowed_attribute_whitelist
):
"""
Wash HTML buffer, escaping XSS attacks.
@param html_buffer: text to escape
@param render_unallowed_tags: if True, print unallowed tags escaping
< and >. Else, only print content of unallowed tags.
@param allowed_tag_whitelist: list of allowed tags
@param allowed_attribute_whitelist: list of allowed attributes
"""
self
.
reset
()
self
.
result
=
''
self
.
render_unallowed_tags
=
render_unallowed_tags
self
.
allowed_tag_whitelist
=
allowed_tag_whitelist
self
.
allowed_attribute_whitelist
=
allowed_attribute_whitelist
self
.
feed
(
html_buffer
)
self
.
close
()
return
self
.
result
def
handle_starttag
(
self
,
tag
,
attrs
):
"""Function called for new opening tags"""
if
tag
.
lower
()
in
self
.
allowed_tag_whitelist
:
self
.
result
+=
'<'
+
tag
for
(
attr
,
value
)
in
attrs
:
if
attr
.
lower
()
in
self
.
allowed_attribute_whitelist
:
self
.
result
+=
'
%s
="
%s
"'
%
\
(
attr
,
self
.
handle_attribute_value
(
value
))
self
.
result
+=
'>'
else
:
if
self
.
render_unallowed_tags
:
self
.
result
+=
'<'
+
cgi
.
escape
(
tag
)
for
(
attr
,
value
)
in
attrs
:
self
.
result
+=
'
%s
="
%s
"'
%
\
(
attr
,
cgi
.
escape
(
value
,
True
))
self
.
result
+=
'>'
elif
tag
==
'style'
or
tag
==
'script'
:
# In that case we want to remove content too
self
.
silent
=
True
def
handle_data
(
self
,
data
):
"""Function called for text nodes"""
if
not
self
.
silent
:
self
.
result
+=
cgi
.
escape
(
data
,
True
)
def
handle_endtag
(
self
,
tag
):
"""Function called for ending of tags"""
if
tag
.
lower
()
in
self
.
allowed_tag_whitelist
:
self
.
result
+=
'</'
+
tag
+
'>'
else
:
if
self
.
render_unallowed_tags
:
self
.
result
+=
'</'
+
cgi
.
escape
(
tag
)
+
'>'
if
tag
==
'style'
or
tag
==
'script'
:
self
.
silent
=
False
def
handle_startendtag
(
self
,
tag
,
attrs
):
"""Function called for empty tags (e.g. <br />)"""
if
tag
.
lower
()
in
self
.
allowed_tag_whitelist
:
self
.
result
+=
'<'
+
tag
for
(
attr
,
value
)
in
attrs
:
if
attr
.
lower
()
in
self
.
allowed_attribute_whitelist
:
self
.
result
+=
'
%s
="
%s
"'
%
\
(
attr
,
self
.
handle_attribute_value
(
value
))
self
.
result
+=
' />'
else
:
if
self
.
render_unallowed_tags
:
self
.
result
+=
'<'
+
cgi
.
escape
(
tag
)
for
(
attr
,
value
)
in
attrs
:
self
.
result
+=
'
%s
="
%s
"'
%
\
(
attr
,
cgi
.
escape
(
value
,
True
))
self
.
result
+=
' />'
def
handle_attribute_value
(
self
,
value
):
"""Check attribute. Especially designed for avoiding URLs in the form:
javascript:myXSSFunction();"""
if
self
.
re_js
.
match
(
value
)
or
self
.
re_vb
.
match
(
value
):
return
''
return
value
def
handle_charref
(
self
,
name
):
"""Process character references of the form "&#ref;". Return it as it is."""
self
.
result
+=
'&#'
+
name
+
';'
def
handle_entityref
(
self
,
name
):
"""Process a general entity reference of the form "&name;".
Return it as it is."""
self
.
result
+=
'&'
+
name
+
';'
def
get_html_text_editor
(
name
,
id
=
None
,
content
=
''
,
textual_content
=
None
,
width
=
'300px'
,
height
=
'200px'
,
enabled
=
True
,
file_upload_url
=
None
,
toolbar_set
=
"Basic"
,
custom_configurations_path
=
'/fckeditor/invenio-fckeditor-config.js'
):
"""
Returns a wysiwyg editor (FCKeditor) to embed in html pages.
Fall back to a simple textarea when the library is not installed,
or when the user's browser is not compatible with the editor, or
when 'enable' is False, or when javascript is not enabled.
NOTE that the output also contains a hidden field named
'editor_type' that contains the kind of editor used, 'textarea' or
'fckeditor'.
Based on 'editor_type' you might want to take different actions,
like replace CRLF with <br/> when editor_type equals to
'textarea', but not when editor_type equals to 'fckeditor'.
@param name: *str* the name attribute of the returned editor
@param id: *str* the id attribute of the returned editor (when
applicable)
@param content: *str* the default content of the editor.
@param textual_content: *str* a content formatted for the case where the
wysiwyg editor is not available for user. When not
specified, use value of 'content'
@param width: *str* width of the editor in an html compatible unit:
Eg: '400px', '50%'.
@param height: *str* height of the editor in an html compatible unit:
Eg: '400px', '50%'.
@param enabled: *bool* if the wysiwyg editor is return (True) or if a
simple texteara is returned (False)
@param file_upload_url: *str* the URL used to upload new files via the
editor upload panel. You have to implement the
handler for your own use. The URL handler will get
form variables 'File' as POST for the uploaded file,
and 'Type' as GET for the type of file ('file',
'image', 'flash', 'media')
When value is not given, the file upload is disabled.
@param toolbar_set: *str* the name of the toolbar layout to
use. FCKeditor comes by default with 'Basic' and
'Default'. To define other sets, customize the
config file in
/opt/invenio/var/www/fckeditor/invenio-fckconfig.js
@param custom_configurations_path: *str* value for the FCKeditor config
variable 'CustomConfigurationsPath',
which allows to specify the path of a
file that contains a custom configuration
for the editor. The path is relative to
/opt/invenio/var/www/
@return: the HTML markup of the editor
"""
if
textual_content
is
None
:
textual_content
=
content
editor
=
''
if
enabled
and
fckeditor_available
:
# Prepare upload path settings
if
file_upload_url
is
not
None
:
file_upload_script
=
'''
oFCKeditor.Config["LinkUploadURL"] = '%(file_upload_url)s';
oFCKeditor.Config["ImageUploadURL"] = '%(file_upload_url)s%%3Ftype%%3DImage';
oFCKeditor.Config["FlashUploadURL"] = '%(file_upload_url)s%%3Ftype%%3DFlash';
oFCKeditor.Config["MediaUploadURL"] = '%(file_upload_url)s%%3Ftype%%3DMedia';
oFCKeditor.Config["LinkUpload"] = true;
oFCKeditor.Config["ImageUpload"] = true;
oFCKeditor.Config["FlashUpload"] = true;
'''
%
{
'file_upload_url'
:
file_upload_url
}
else
:
file_upload_script
=
'''
oFCKeditor.Config["LinkUpload"] = false;
oFCKeditor.Config["ImageUpload"] = false;
oFCKeditor.Config["FlashUpload"] = false;
'''
# Prepare code to instantiate an editor
editor
+=
'''
<script type="text/javascript" src="%(CFG_SITE_URL)s/fckeditor/fckeditor.js"></script>
<input type="hidden" name="editor_type" id="%(name)seditortype" value="textarea" />
<textarea id="%(id)s" name="%(name)s" style="width:%(width)s;height:%(height)s">%(textual_content)s</textarea>
<textarea id="%(id)shtmlvalue" name="%(name)shtmlvalue" style="display:None;width:%(width)s;height:%(height)s">%(html_content)s</textarea>
<script type="text/javascript">
var oFCKeditor = new FCKeditor('%(name)s', '%(width)s', '%(height)s', '%(toolbar)s') ;
oFCKeditor.BasePath = "/fckeditor/" ;
oFCKeditor.Config["CustomConfigurationsPath"] = '%(custom_configurations_path)s';
/* Set paths to upload files */
%(file_upload_script)s
/* Disable browsing on the server, which would not work anyway */
oFCKeditor.Config["LinkBrowser"] = false;
oFCKeditor.Config["ImageBrowser"] = false;
oFCKeditor.Config["FlashBrowser"] = false;
oFCKeditor.ReplaceTextarea() ;
function FCKeditor_OnComplete( editorInstance )
{
/* If FCKeditor was correctly loaded, display the nice HTML representation */
var oEditor = FCKeditorAPI.GetInstance('%(name)s');
var html_editor = document.getElementById('%(id)shtmlvalue');
oEditor.SetHTML(html_editor.value);
var editor_type_field = document.getElementById('%(name)seditortype');
editor_type_field.value = 'fckeditor';
}
</script>
'''
%
\
{
'textual_content'
:
cgi
.
escape
(
textual_content
),
'html_content'
:
content
,
'width'
:
width
,
'height'
:
height
,
'name'
:
name
,
'id'
:
id
or
name
,
'custom_configurations_path'
:
custom_configurations_path
,
'toolbar'
:
toolbar_set
,
'file_upload_script'
:
file_upload_script
,
'CFG_SITE_URL'
:
CFG_SITE_URL
}
else
:
# FCKedior is not installed
textarea
=
'<textarea
%(id)s
name="
%(name)s
" style="width:
%(width)s
;height:
%(height)s
">
%(content)s
</textarea>'
\
%
{
'content'
:
cgi
.
escape
(
textual_content
),
'width'
:
width
,
'height'
:
height
,
'name'
:
name
,
'id'
:
id
and
(
'id="
%s
"'
%
id
)
or
''
}
editor
+=
textarea
editor
+=
'<input type="hidden" name="editor_type" value="textarea" />'
return
editor
def
remove_html_markup
(
text
,
replacechar
=
' '
):
"""
Remove HTML markup from text.
@param text: Input text.
@type text: string.
@param replacechar: By which character should we replace HTML markup.
Usually, a single space or an empty string are nice values.
@type replacechar: string
@return: Input text with HTML markup removed.
@rtype: string
"""
return
re_html
.
sub
(
replacechar
,
text
)
def
create_html_tag
(
tag
,
body
=
None
,
escape_body
=
False
,
escape_attr
=
True
,
indent
=
0
,
attrs
=
None
,
**
other_attrs
):
"""
Create an HTML tag.
This function create a full HTML tag, putting toghether an
optional inner body and a dictionary of attributes.
>>> print create_html_tag ("select", create_html_tag("h1",
... "hello", other_attrs={'class': "foo"}))
<select>
<h1 class="foo">
hello
</h1>
</select>
@param tag: the tag (e.g. "select", "body", "h1"...).
@type tag: string
@param body: some text/HTML to put in the body of the tag (this
body will be indented WRT the tag).
@type body: string
@param escape_body: wether the body (if any) must be escaped.
@type escape_body: boolean
@param escape_attr: wether the attribute values (if any) must be
escaped.
@type escape_attr: boolean
@param indent: number of level of indentation for the tag.
@type indent: integer
@param attrs: map of attributes to add to the tag.
@type attrs: dict
@return: the HTML tag.
@rtype: string
"""
if
attrs
is
None
:
attrs
=
{}
attrs
.
update
(
other_attrs
)
out
=
"<
%s
"
%
tag
for
key
,
value
in
attrs
.
iteritems
():
if
escape_attr
:
value
=
escape_html
(
value
,
escape_quotes
=
True
)
out
+=
'
%s
="
%s
"'
%
(
key
,
value
)
if
body
:
out
+=
">
\n
"
if
escape_body
:
body
=
escape_html
(
body
)
out
+=
indent_text
(
body
,
1
)
out
+=
"</
%s
>"
%
tag
else
:
out
+=
" />"
out
=
indent_text
(
out
,
indent
)
out
=
out
[:
-
1
]
# Let's remove trailing new line
return
out
def
create_html_select
(
options
,
selected
=
None
,
attrs
=
None
,
**
other_attrs
):
"""
Create an HTML select box.
>>> print create_html_select(["foo", "bar"], selected="bar", name="baz")
<select name="baz">
<option selected="selected">
bar
</option>
<option>
foo
</option>
</select>
>>> print create_html_select({"foo": "oof", "bar": "rab"}, selected="bar", name="baz")
<select name="baz">
<option value="foo">
oof
</option>
<option selected="selected" value="bar">
rab
</option>
</select>
@param options: this can either be a sequence of strings or a map of
C{key->value}. In the former case, the C{select} tag will contain
a list of C{option} tags (in alphabetical order), where the
C{value} attribute is not specified. In the latter case, the
C{value} attribute will be set to the C{key}, while the body
of the C{option} will be set to C{value}.
@type options: sequence or map
@param selected: optional key/value to select by default. In case
a map has been used for options, C{selected} must be set to an
existing C{key}, otherwise it must be set to an existing
C{value}.
@type selected: string
@param attrs: optional attributes to create the select tag.
@type attrs: dict
@param other_attrs: other optional attributes.
@return: the HTML output.
@rtype: string
@note: the values and keys will be escaped for HTML.
"""
body
=
[]
try
:
items
=
options
.
items
()
items
.
sort
(
lambda
item1
,
item2
:
cmp
(
item1
[
1
],
item2
[
1
]))
for
key
,
value
in
items
:
option_attrs
=
key
==
selected
and
{
"selected"
:
"selected"
}
or
{}
body
.
append
(
create_html_tag
(
"option"
,
body
=
value
,
escape_body
=
True
,
value
=
key
,
attrs
=
option_attrs
))
except
AttributeError
:
options
.
sort
()
for
value
in
options
:
option_attrs
=
value
==
selected
and
{
"selected"
:
"selected"
}
or
{}
body
.
append
(
create_html_tag
(
"option"
,
body
=
value
,
escape_body
=
True
,
attrs
=
option_attrs
))
return
create_html_tag
(
"select"
,
body
=
'
\n
'
.
join
(
body
),
attrs
=
attrs
,
**
other_attrs
)
Event Timeline
Log In to Comment