From 57f2ca1a215c9fa05846317850f6bcf43b5e7f92 Mon Sep 17 00:00:00 2001 From: Feanil Patel Date: Tue, 31 Jan 2023 10:59:21 -0500 Subject: [PATCH] fix: Prepare for the bleach 6.0.0 upgrad. Changelog: https://bleach.readthedocs.io/en/latest/changes.html#version-6-0-0-january-23rd-2023 The major change is that the tags and protocols attributes and related constants are expected to be sets rather than lists. --- lms/djangoapps/discussion/rest_api/render.py | 6 +++--- lms/templates/courseware/progress_graph.js | 2 +- openedx/core/djangolib/markup.py | 2 +- requirements/constraints.txt | 4 ---- xmodule/capa/util.py | 10 +++++----- 5 files changed, 10 insertions(+), 14 deletions(-) diff --git a/lms/djangoapps/discussion/rest_api/render.py b/lms/djangoapps/discussion/rest_api/render.py index fb302423c8..44e2d8b692 100644 --- a/lms/djangoapps/discussion/rest_api/render.py +++ b/lms/djangoapps/discussion/rest_api/render.py @@ -7,11 +7,11 @@ implemented in Markdown.Sanitizer.js. import bleach import markdown -ALLOWED_TAGS = bleach.ALLOWED_TAGS + [ +ALLOWED_TAGS = bleach.ALLOWED_TAGS | { 'br', 'dd', 'del', 'dl', 'dt', 'h1', 'h2', 'h3', 'h4', 'hr', 'img', 'kbd', 'p', 'pre', 's', 'strike', 'sub', 'sup' -] -ALLOWED_PROTOCOLS = ["http", "https", "ftp", "mailto"] +} +ALLOWED_PROTOCOLS = {"http", "https", "ftp", "mailto"} ALLOWED_ATTRIBUTES = { "a": ["href", "title", "target", "rel"], "img": ["src", "alt", "title", "width", "height"], diff --git a/lms/templates/courseware/progress_graph.js b/lms/templates/courseware/progress_graph.js index d2a10e511f..5a1d64c36e 100644 --- a/lms/templates/courseware/progress_graph.js +++ b/lms/templates/courseware/progress_graph.js @@ -74,7 +74,7 @@ $(function () { ## allowing the display of such images, and remove any previously stored HTML ## to prevent ugly HTML from being shown to learners. ## xss-lint: disable=javascript-jquery-append - ticks.append( [tickIndex, bleach.clean(section['label'], tags=[], strip=True)] ) + ticks.append( [tickIndex, bleach.clean(section['label'], tags=set(), strip=True)] ) if section['category'] in detail_tooltips: ## xss-lint: disable=javascript-jquery-append diff --git a/openedx/core/djangolib/markup.py b/openedx/core/djangolib/markup.py index 8dd5e3699e..3009f1d53f 100644 --- a/openedx/core/djangolib/markup.py +++ b/openedx/core/djangolib/markup.py @@ -53,7 +53,7 @@ def strip_all_tags_but_br(string_to_strip): string_to_strip = "" string_to_strip = decode.utf8(string_to_strip) - string_to_strip = bleach.clean(string_to_strip, tags=['br'], strip=True) + string_to_strip = bleach.clean(string_to_strip, tags={'br'}, strip=True) return HTML(string_to_strip) diff --git a/requirements/constraints.txt b/requirements/constraints.txt index f3a3cbda55..da0f29e424 100644 --- a/requirements/constraints.txt +++ b/requirements/constraints.txt @@ -75,7 +75,3 @@ pyopenssl==22.0.0 cryptography==38.0.4 # greater version has some issues with openssl. - -# These two constraints will be removed in this PR: https://github.com/openedx/edx-platform/pull/31678 -bleach[css]==5.0.1 # greater version has some breaking changes. -openedx-django-wiki<2.0.0 # greater version needs bleech >6.0.0 diff --git a/xmodule/capa/util.py b/xmodule/capa/util.py index 66e7b12390..ada0818a39 100644 --- a/xmodule/capa/util.py +++ b/xmodule/capa/util.py @@ -191,8 +191,8 @@ def sanitize_html(html_code): }) output = bleach.clean( html_code, - protocols=bleach.ALLOWED_PROTOCOLS + ['data'], - tags=bleach.ALLOWED_TAGS + ['div', 'p', 'audio', 'pre', 'img', 'span'], + protocols=bleach.ALLOWED_PROTOCOLS | {'data'}, + tags=bleach.ALLOWED_TAGS | {'div', 'p', 'audio', 'pre', 'img', 'span'}, css_sanitizer=CSSSanitizer(allowed_css_properties=["white-space"]), attributes=attributes ) @@ -216,12 +216,12 @@ def remove_markup(html): """ Return html with markup stripped and text HTML-escaped. - >>> bleach.clean("Rock & Roll", tags=[], strip=True) + >>> bleach.clean("Rock & Roll", tags=set(), strip=True) 'Rock & Roll' - >>> bleach.clean("Rock & Roll", tags=[], strip=True) + >>> bleach.clean("Rock & Roll", tags=set(), strip=True) 'Rock & Roll' """ - return HTML(bleach.clean(html, tags=[], strip=True)) + return HTML(bleach.clean(html, tags=set(), strip=True)) def get_course_id_from_capa_block(capa_block):