Removed deprecated safe_mode.

Author: waylan

markdown/core.py

@@ -68,10 +68,6 @@ def __init__(self, **kwargs):
  Note that it is suggested that the more specific formats ("xhtml1"
  and "html4") be used as "xhtml" or "html" may change in the future
  if it makes sense at that time.
- * safe_mode: Deprecated! Disallow raw html. One of "remove", "replace"
- or "escape".
- * html_replacement_text: Deprecated! Text used when safe_mode is set
- to "replace".
  * tab_length: Length of tabs in the source. Default: 4
  * enable_attributes: Enable the conversion of attributes. Default: True
  * smart_emphasis: Treat `_connected_words_` intelligently Default: True
@@ -83,24 +79,6 @@ def __init__(self, **kwargs):
  for option, default in self.option_defaults.items():
  setattr(self, option, kwargs.get(option, default))
 
- self.safeMode = kwargs.get('safe_mode', False)
- if self.safeMode and 'enable_attributes' not in kwargs:
- # Disable attributes in safeMode when not explicitly set
- self.enable_attributes = False
-
- if 'safe_mode' in kwargs:
- warnings.warn('"safe_mode" is deprecated in Python-Markdown. '
- 'Use an HTML sanitizer (like '
- 'Bleach http://bleach.readthedocs.org/) '
- 'if you are parsing untrusted markdown text. '
- 'See the 2.6 release notes for more info',
- DeprecationWarning)
-
- if 'html_replacement_text' in kwargs:
- warnings.warn('The "html_replacement_text" keyword is '
- 'deprecated along with "safe_mode".',
- DeprecationWarning)
-
  self.registeredExtensions = []
  self.docType = ""
  self.stripTopLevelTags = True

markdown/extensions/codehilite.py

@@ -215,8 +215,7 @@ def run(self, root):
  tab_length=self.markdown.tab_length,
  use_pygments=self.config['use_pygments']
  )
- placeholder = self.markdown.htmlStash.store(code.hilite(),
- safe=True)
+ placeholder = self.markdown.htmlStash.store(code.hilite())
  # Clear codeblock in etree instance
  block.clear()
  # Change to p element which will later

markdown/extensions/extra.py

@@ -58,15 +58,14 @@ def __init__(self, *args, **kwargs):
  def extendMarkdown(self, md, md_globals):
  """ Register extension instances. """
  md.registerExtensions(extensions, self.config)
- if not md.safeMode:
- # Turn on processing of markdown text within raw html
- md.preprocessors['html_block'].markdown_in_raw = True
- md.parser.blockprocessors.add('markdown_block',
- MarkdownInHtmlProcessor(md.parser),
- '_begin')
- md.parser.blockprocessors.tag_counter = -1
- md.parser.blockprocessors.contain_span_tags = re.compile(
- r'^(p|h[1-6]|li|dd|dt|td|th|legend|address)$', re.IGNORECASE)
+ # Turn on processing of markdown text within raw html
+ md.preprocessors['html_block'].markdown_in_raw = True
+ md.parser.blockprocessors.add('markdown_block',
+ MarkdownInHtmlProcessor(md.parser),
+ '_begin')
+ md.parser.blockprocessors.tag_counter = -1
+ md.parser.blockprocessors.contain_span_tags = re.compile(
+ r'^(p|h[1-6]|li|dd|dt|td|th|legend|address)$', re.IGNORECASE)
 
 
 def makeExtension(*args, **kwargs):

markdown/extensions/fenced_code.py

@@ -91,7 +91,7 @@ def run(self, lines):
  code = self.CODE_WRAP % (lang,
  self._escape(m.group('code')))
 
- placeholder = self.markdown.htmlStash.store(code, safe=True)
+ placeholder = self.markdown.htmlStash.store(code)
  text = '%s\n%s\n%s' % (text[:m.start()],
  placeholder,
  text[m.end():])

markdown/extensions/smarty.py

@@ -161,7 +161,7 @@ def handleMatch(self, m):
  if isinstance(part, int):
  result += m.group(part)
  else:
- result += self.markdown.htmlStash.store(part, safe=True)
+ result += self.markdown.htmlStash.store(part)
  return result
 
 

markdown/extensions/toc.py

@@ -49,11 +49,9 @@ def stashedHTML2text(text, md):
  def _html_sub(m):
  """ Substitute raw html with plain text. """
  try:
- raw, safe = md.htmlStash.rawHtmlBlocks[int(m.group(1))]
+ raw = md.htmlStash.rawHtmlBlocks[int(m.group(1))]
  except (IndexError, TypeError): # pragma: no cover
  return m.group(0)
- if md.safeMode and not safe: # pragma: no cover
- return ''
  # Strip out tags and entities - leaveing text
  return re.sub(r'(<[^>]+>)|(&[\#a-zA-Z0-9]+;)', '', raw)
 

markdown/inlinepatterns.py

@@ -73,8 +73,7 @@ def build_inlinepatterns(md_instance, **kwargs):
  inlinePatterns["autolink"] = AutolinkPattern(AUTOLINK_RE, md_instance)
  inlinePatterns["automail"] = AutomailPattern(AUTOMAIL_RE, md_instance)
  inlinePatterns["linebreak"] = SubstituteTagPattern(LINE_BREAK_RE, 'br')
- if md_instance.safeMode != 'escape':
- inlinePatterns["html"] = HtmlPattern(HTML_RE, md_instance)
+ inlinePatterns["html"] = HtmlPattern(HTML_RE, md_instance)
  inlinePatterns["entity"] = HtmlPattern(ENTITY_RE, md_instance)
  inlinePatterns["not_strong"] = SimpleTextPattern(NOT_STRONG_RE)
  inlinePatterns["em_strong"] = DoubleTagPattern(EM_STRONG_RE, 'strong,em')
@@ -201,8 +200,6 @@ def __init__(self, pattern, markdown_instance=None):
  self.compiled_re = re.compile("^(.*?)%s(.*?)$" % pattern,
  re.DOTALL | re.UNICODE)
 
- # Api for Markdown to pass safe_mode into instance
- self.safe_mode = False
  if markdown_instance:
  self.markdown = markdown_instance
 
@@ -362,7 +359,7 @@ def handleMatch(self, m):
  if href:
  if href[0] == "<":
  href = href[1:-1]
- el.set("href", self.sanitize_url(self.unescape(href.strip())))
+ el.set("href", self.unescape(href.strip()))
  else:
  el.set("href", "")
 
@@ -371,52 +368,6 @@ def handleMatch(self, m):
  el.set("title", title)
  return el
 
- def sanitize_url(self, url):
- """
- Sanitize a url against xss attacks in "safe_mode".
-
- Rather than specifically blacklisting `javascript:alert("XSS")` and all
- its aliases (see <http://ha.ckers.org/xss.html>), we whitelist known
- safe url formats. Most urls contain a network location, however some
- are known not to (i.e.: mailto links). Script urls do not contain a
- location. Additionally, for `javascript:...`, the scheme would be
- "javascript" but some aliases will appear to `urlparse()` to have no
- scheme. On top of that relative links (i.e.: "foo/bar.html") have no
- scheme. Therefore we must check "path", "parameters", "query" and
- "fragment" for any literal colons. We don't check "scheme" for colons
- because it *should* never have any and "netloc" must allow the form:
- `username:password@host:port`.
-
- """
- if not self.markdown.safeMode:
- # Return immediately bipassing parsing.
- return url
-
- try:
- scheme, netloc, path, params, query, fragment = url = urlparse(url)
- except ValueError: # pragma: no cover
- # Bad url - so bad it couldn't be parsed.
- return ''
-
- locless_schemes = ['', 'mailto', 'news']
- allowed_schemes = locless_schemes + ['http', 'https', 'ftp', 'ftps']
- if scheme not in allowed_schemes:
- # Not a known (allowed) scheme. Not safe.
- return ''
-
- if netloc == '' and scheme not in locless_schemes: # pragma: no cover
- # This should not happen. Treat as suspect.
- return ''
-
- for part in url[2:]:
- if ":" in part:
- # A colon in "path", "parameters", "query"
- # or "fragment" is suspect.
- return ''
-
- # Url passes all tests. Return url as-is.
- return urlunparse(url)
-
 
 class ImagePattern(LinkPattern):
  """ Return a img element from the given match. """
@@ -427,7 +378,7 @@ def handleMatch(self, m):
  src = src_parts[0]
  if src[0] == "<" and src[-1] == ">":
  src = src[1:-1]
- el.set('src', self.sanitize_url(self.unescape(src)))
+ el.set('src', self.unescape(src))
  else:
  el.set('src', "")
  if len(src_parts) > 1:
@@ -469,7 +420,7 @@ def handleMatch(self, m):
  def makeTag(self, href, title, text):
  el = util.etree.Element('a')
 
- el.set('href', self.sanitize_url(href))
+ el.set('href', href)
  if title:
  el.set('title', title)
 
@@ -481,7 +432,7 @@ class ImageReferencePattern(ReferencePattern):
  """ Match to a stored reference and return img element. """
  def makeTag(self, href, title, text):
  el = util.etree.Element("img")
- el.set("src", self.sanitize_url(href))
+ el.set("src", href)
  if title:
  el.set("title", title)
 

markdown/postprocessors.py

@@ -49,35 +49,19 @@ class RawHtmlPostprocessor(Postprocessor):
  """ Restore raw html to the document. """
 
  def run(self, text):
- """ Iterate over html stash and restore "safe" html. """
+ """ Iterate over html stash and restore html. """
  for i in range(self.markdown.htmlStash.html_counter):
- html, safe = self.markdown.htmlStash.rawHtmlBlocks[i]
- if self.markdown.safeMode and not safe:
- if str(self.markdown.safeMode).lower() == 'escape':
- html = self.escape(html)
- elif str(self.markdown.safeMode).lower() == 'remove':
- html = ''
- else:
- html = self.markdown.html_replacement_text
- if (self.isblocklevel(html) and
- (safe or not self.markdown.safeMode)):
+ html = self.markdown.htmlStash.rawHtmlBlocks[i]
+ if self.isblocklevel(html):
  text = text.replace(
- "<p>%s</p>" %
- (self.markdown.htmlStash.get_placeholder(i)),
+ "<p>%s</p>" % (self.markdown.htmlStash.get_placeholder(i)),
  html + "\n"
  )
  text = text.replace(
  self.markdown.htmlStash.get_placeholder(i), html
  )
  return text
 
- def escape(self, html):
- """ Basic html escaping """
- html = html.replace('&', '&amp;')
- html = html.replace('<', '&lt;')
- html = html.replace('>', '&gt;')
- return html.replace('"', '&quot;')
-
  def isblocklevel(self, html):
  m = re.match(r'^\<\/?([^ >]+)', html)
  if m:

markdown/preprocessors.py

@@ -17,8 +17,7 @@ def build_preprocessors(md_instance, **kwargs):
  """ Build the default set of preprocessors used by Markdown. """
  preprocessors = odict.OrderedDict()
  preprocessors['normalize_whitespace'] = NormalizeWhitespace(md_instance)
- if md_instance.safeMode != 'escape':
- preprocessors["html_block"] = HtmlBlockPreprocessor(md_instance)
+ preprocessors["html_block"] = HtmlBlockPreprocessor(md_instance)
  preprocessors["reference"] = ReferencePreprocessor(md_instance)
  return preprocessors
 

markdown/util.py

@@ -141,7 +141,7 @@ def __init__(self):
  self.tag_counter = 0
  self.tag_data = [] # list of dictionaries in the order tags appear
 
- def store(self, html, safe=False):
+ def store(self, html):
  """
  Saves an HTML segment for later reinsertion. Returns a
  placeholder string that needs to be inserted into the
@@ -150,12 +150,11 @@ def store(self, html, safe=False):
  Keyword arguments:
 
  * html: an html segment
- * safe: label an html segment as safe for safemode
 
  Returns : a placeholder string
 
  """
- self.rawHtmlBlocks.append((html, safe))
+ self.rawHtmlBlocks.append(html)
  placeholder = self.get_placeholder(self.html_counter)
  self.html_counter += 1
  return placeholder