From 57f2ca1a215c9fa05846317850f6bcf43b5e7f92 Mon Sep 17 00:00:00 2001 From: Feanil Patel Date: Tue, 31 Jan 2023 10:59:21 -0500 Subject: [PATCH 1/5] fix: Prepare for the bleach 6.0.0 upgrad. Changelog: https://bleach.readthedocs.io/en/latest/changes.html#version-6-0-0-january-23rd-2023 The major change is that the tags and protocols attributes and related constants are expected to be sets rather than lists. --- lms/djangoapps/discussion/rest_api/render.py | 6 +++--- lms/templates/courseware/progress_graph.js | 2 +- openedx/core/djangolib/markup.py | 2 +- requirements/constraints.txt | 4 ---- xmodule/capa/util.py | 10 +++++----- 5 files changed, 10 insertions(+), 14 deletions(-) diff --git a/lms/djangoapps/discussion/rest_api/render.py b/lms/djangoapps/discussion/rest_api/render.py index fb302423c8..44e2d8b692 100644 --- a/lms/djangoapps/discussion/rest_api/render.py +++ b/lms/djangoapps/discussion/rest_api/render.py @@ -7,11 +7,11 @@ implemented in Markdown.Sanitizer.js. import bleach import markdown -ALLOWED_TAGS = bleach.ALLOWED_TAGS + [ +ALLOWED_TAGS = bleach.ALLOWED_TAGS | { 'br', 'dd', 'del', 'dl', 'dt', 'h1', 'h2', 'h3', 'h4', 'hr', 'img', 'kbd', 'p', 'pre', 's', 'strike', 'sub', 'sup' -] -ALLOWED_PROTOCOLS = ["http", "https", "ftp", "mailto"] +} +ALLOWED_PROTOCOLS = {"http", "https", "ftp", "mailto"} ALLOWED_ATTRIBUTES = { "a": ["href", "title", "target", "rel"], "img": ["src", "alt", "title", "width", "height"], diff --git a/lms/templates/courseware/progress_graph.js b/lms/templates/courseware/progress_graph.js index d2a10e511f..5a1d64c36e 100644 --- a/lms/templates/courseware/progress_graph.js +++ b/lms/templates/courseware/progress_graph.js @@ -74,7 +74,7 @@ $(function () { ## allowing the display of such images, and remove any previously stored HTML ## to prevent ugly HTML from being shown to learners. ## xss-lint: disable=javascript-jquery-append - ticks.append( [tickIndex, bleach.clean(section['label'], tags=[], strip=True)] ) + ticks.append( [tickIndex, bleach.clean(section['label'], tags=set(), strip=True)] ) if section['category'] in detail_tooltips: ## xss-lint: disable=javascript-jquery-append diff --git a/openedx/core/djangolib/markup.py b/openedx/core/djangolib/markup.py index 8dd5e3699e..3009f1d53f 100644 --- a/openedx/core/djangolib/markup.py +++ b/openedx/core/djangolib/markup.py @@ -53,7 +53,7 @@ def strip_all_tags_but_br(string_to_strip): string_to_strip = "" string_to_strip = decode.utf8(string_to_strip) - string_to_strip = bleach.clean(string_to_strip, tags=['br'], strip=True) + string_to_strip = bleach.clean(string_to_strip, tags={'br'}, strip=True) return HTML(string_to_strip) diff --git a/requirements/constraints.txt b/requirements/constraints.txt index f3a3cbda55..da0f29e424 100644 --- a/requirements/constraints.txt +++ b/requirements/constraints.txt @@ -75,7 +75,3 @@ pyopenssl==22.0.0 cryptography==38.0.4 # greater version has some issues with openssl. - -# These two constraints will be removed in this PR: https://github.com/openedx/edx-platform/pull/31678 -bleach[css]==5.0.1 # greater version has some breaking changes. -openedx-django-wiki<2.0.0 # greater version needs bleech >6.0.0 diff --git a/xmodule/capa/util.py b/xmodule/capa/util.py index 66e7b12390..ada0818a39 100644 --- a/xmodule/capa/util.py +++ b/xmodule/capa/util.py @@ -191,8 +191,8 @@ def sanitize_html(html_code): }) output = bleach.clean( html_code, - protocols=bleach.ALLOWED_PROTOCOLS + ['data'], - tags=bleach.ALLOWED_TAGS + ['div', 'p', 'audio', 'pre', 'img', 'span'], + protocols=bleach.ALLOWED_PROTOCOLS | {'data'}, + tags=bleach.ALLOWED_TAGS | {'div', 'p', 'audio', 'pre', 'img', 'span'}, css_sanitizer=CSSSanitizer(allowed_css_properties=["white-space"]), attributes=attributes ) @@ -216,12 +216,12 @@ def remove_markup(html): """ Return html with markup stripped and text HTML-escaped. - >>> bleach.clean("Rock & Roll", tags=[], strip=True) + >>> bleach.clean("Rock & Roll", tags=set(), strip=True) 'Rock & Roll' - >>> bleach.clean("Rock & Roll", tags=[], strip=True) + >>> bleach.clean("Rock & Roll", tags=set(), strip=True) 'Rock & Roll' """ - return HTML(bleach.clean(html, tags=[], strip=True)) + return HTML(bleach.clean(html, tags=set(), strip=True)) def get_course_id_from_capa_block(capa_block): From 64c317be31421a5ee9a7e5b528cd082a1352469e Mon Sep 17 00:00:00 2001 From: Feanil Patel Date: Tue, 31 Jan 2023 11:18:25 -0500 Subject: [PATCH 2/5] chore: Compile requirements to update `bleach` Run `make compile-requirements COMPILE_OPTS="-P 'bleach'"` to update bleach to the latest version. --- requirements/edx/base.txt | 3 +-- requirements/edx/development.txt | 3 +-- requirements/edx/testing.txt | 4 +--- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/requirements/edx/base.txt b/requirements/edx/base.txt index a99139e036..e8ed2a58b2 100644 --- a/requirements/edx/base.txt +++ b/requirements/edx/base.txt @@ -60,9 +60,8 @@ beautifulsoup4==4.11.2 # via pynliner billiard==3.6.4.0 # via celery -bleach[css]==5.0.1 +bleach[css]==6.0.0 # via - # -c requirements/edx/../constraints.txt # -r requirements/edx/base.in # edx-enterprise # lti-consumer-xblock diff --git a/requirements/edx/development.txt b/requirements/edx/development.txt index 1a8c2d858f..ff5a62ec04 100644 --- a/requirements/edx/development.txt +++ b/requirements/edx/development.txt @@ -94,9 +94,8 @@ billiard==3.6.4.0 # via # -r requirements/edx/testing.txt # celery -bleach[css]==5.0.1 +bleach[css]==6.0.0 # via - # -c requirements/edx/../constraints.txt # -r requirements/edx/testing.txt # edx-enterprise # lti-consumer-xblock diff --git a/requirements/edx/testing.txt b/requirements/edx/testing.txt index 65454d568a..bf9006f1c4 100644 --- a/requirements/edx/testing.txt +++ b/requirements/edx/testing.txt @@ -66,7 +66,6 @@ attrs==22.2.0 # jsonschema # lti-consumer-xblock # openedx-events - # outcome # pytest babel==2.11.0 # via @@ -90,9 +89,8 @@ billiard==3.6.4.0 # via # -r requirements/edx/base.txt # celery -bleach[css]==5.0.1 +bleach[css]==6.0.0 # via - # -c requirements/edx/../constraints.txt # -r requirements/edx/base.txt # edx-enterprise # lti-consumer-xblock From ff9ed81c6e5b46e0117e578f7ef1ab25e3303796 Mon Sep 17 00:00:00 2001 From: Feanil Patel Date: Tue, 31 Jan 2023 12:26:12 -0500 Subject: [PATCH 3/5] chore: Update openedx-django-wiki Run `make compile-requirements COMPILE_OPTS="-P 'openedx-django-wiki'"` to update `openedx-django-wiki` --- requirements/edx/base.txt | 6 ++---- requirements/edx/development.txt | 6 ++---- requirements/edx/testing.txt | 6 ++---- 3 files changed, 6 insertions(+), 12 deletions(-) diff --git a/requirements/edx/base.txt b/requirements/edx/base.txt index e8ed2a58b2..04dacda062 100644 --- a/requirements/edx/base.txt +++ b/requirements/edx/base.txt @@ -756,10 +756,8 @@ openedx-calc==3.0.1 # via -r requirements/edx/base.in openedx-django-pyfs==3.2.1 # via xblock -openedx-django-wiki==1.1.4 - # via - # -c requirements/edx/../constraints.txt - # -r requirements/edx/base.in +openedx-django-wiki==2.0.0 + # via -r requirements/edx/base.in openedx-events==4.2.0 # via # -r requirements/edx/base.in diff --git a/requirements/edx/development.txt b/requirements/edx/development.txt index ff5a62ec04..9516167639 100644 --- a/requirements/edx/development.txt +++ b/requirements/edx/development.txt @@ -1003,10 +1003,8 @@ openedx-django-pyfs==3.2.1 # via # -r requirements/edx/testing.txt # xblock -openedx-django-wiki==1.1.4 - # via - # -c requirements/edx/../constraints.txt - # -r requirements/edx/testing.txt +openedx-django-wiki==2.0.0 + # via -r requirements/edx/testing.txt openedx-events==4.2.0 # via # -r requirements/edx/testing.txt diff --git a/requirements/edx/testing.txt b/requirements/edx/testing.txt index bf9006f1c4..66abea48c2 100644 --- a/requirements/edx/testing.txt +++ b/requirements/edx/testing.txt @@ -953,10 +953,8 @@ openedx-django-pyfs==3.2.1 # via # -r requirements/edx/base.txt # xblock -openedx-django-wiki==1.1.4 - # via - # -c requirements/edx/../constraints.txt - # -r requirements/edx/base.txt +openedx-django-wiki==2.0.0 + # via -r requirements/edx/base.txt openedx-events==4.2.0 # via # -r requirements/edx/base.txt From e8546d5a8f7fb7e429b2a007a6388c7be6f6e10a Mon Sep 17 00:00:00 2001 From: Feanil Patel Date: Wed, 1 Feb 2023 10:57:44 -0500 Subject: [PATCH 4/5] chore: Update ora2 and lti-consumer-xblock. Run `make compile-requirements COMPILE_OPTS="-P 'ora2' -P 'lti-consumer-xblock'"` to update two more dependencies that use bleach. --- requirements/edx/base.txt | 4 ++-- requirements/edx/development.txt | 4 ++-- requirements/edx/pip.txt | 2 +- requirements/edx/testing.txt | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/requirements/edx/base.txt b/requirements/edx/base.txt index 04dacda062..980e67c742 100644 --- a/requirements/edx/base.txt +++ b/requirements/edx/base.txt @@ -666,7 +666,7 @@ libsass==0.10.0 # ora2 loremipsum==1.0.5 # via ora2 -lti-consumer-xblock==7.3.0 +lti-consumer-xblock==8.0.0 # via -r requirements/edx/base.in lxml==4.9.2 # via @@ -768,7 +768,7 @@ openedx-filters==1.0.0 # lti-consumer-xblock optimizely-sdk==4.1.0 # via -r requirements/edx/base.in -ora2==4.5.1 +ora2==5.0.0 # via -r requirements/edx/base.in oscrypto==1.3.0 # via snowflake-connector-python diff --git a/requirements/edx/development.txt b/requirements/edx/development.txt index 9516167639..2c04311dbc 100644 --- a/requirements/edx/development.txt +++ b/requirements/edx/development.txt @@ -891,7 +891,7 @@ loremipsum==1.0.5 # via # -r requirements/edx/testing.txt # ora2 -lti-consumer-xblock==7.3.0 +lti-consumer-xblock==8.0.0 # via -r requirements/edx/testing.txt lxml==4.9.2 # via @@ -1015,7 +1015,7 @@ openedx-filters==1.0.0 # lti-consumer-xblock optimizely-sdk==4.1.0 # via -r requirements/edx/testing.txt -ora2==4.5.1 +ora2==5.0.0 # via -r requirements/edx/testing.txt oscrypto==1.3.0 # via diff --git a/requirements/edx/pip.txt b/requirements/edx/pip.txt index 1663bcd84b..977c450c59 100644 --- a/requirements/edx/pip.txt +++ b/requirements/edx/pip.txt @@ -6,7 +6,7 @@ # pip==23.0 # via -r requirements/edx/pip.in -setuptools==67.0.0 +setuptools==67.1.0 # via -r requirements/edx/pip.in wheel==0.38.4 # via -r requirements/edx/pip.in diff --git a/requirements/edx/testing.txt b/requirements/edx/testing.txt index 66abea48c2..5c484ed8d7 100644 --- a/requirements/edx/testing.txt +++ b/requirements/edx/testing.txt @@ -848,7 +848,7 @@ loremipsum==1.0.5 # via # -r requirements/edx/base.txt # ora2 -lti-consumer-xblock==7.3.0 +lti-consumer-xblock==8.0.0 # via -r requirements/edx/base.txt lxml==4.9.2 # via @@ -965,7 +965,7 @@ openedx-filters==1.0.0 # lti-consumer-xblock optimizely-sdk==4.1.0 # via -r requirements/edx/base.txt -ora2==4.5.1 +ora2==5.0.0 # via -r requirements/edx/base.txt oscrypto==1.3.0 # via From 35121e19a20db41b20d9b7786d33c93bff8db744 Mon Sep 17 00:00:00 2001 From: Feanil Patel Date: Wed, 1 Feb 2023 12:26:32 -0500 Subject: [PATCH 5/5] chore: Upgrade xblock-drag-and-drop-v2 Run `make compile-requirements COMPILE_OPTS="-P 'xblock-drag-and-drop-v2'"` --- requirements/edx/base.txt | 2 +- requirements/edx/development.txt | 2 +- requirements/edx/pip.txt | 6 ++++-- requirements/edx/testing.txt | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/requirements/edx/base.txt b/requirements/edx/base.txt index 980e67c742..d37f796a78 100644 --- a/requirements/edx/base.txt +++ b/requirements/edx/base.txt @@ -1174,7 +1174,7 @@ xblock[django]==1.6.2 # xblock-google-drive # xblock-poll # xblock-utils -xblock-drag-and-drop-v2==3.0.0 +xblock-drag-and-drop-v2==3.1.0 # via -r requirements/edx/base.in xblock-google-drive==0.3.0 # via -r requirements/edx/base.in diff --git a/requirements/edx/development.txt b/requirements/edx/development.txt index 2c04311dbc..0b4b9a9680 100644 --- a/requirements/edx/development.txt +++ b/requirements/edx/development.txt @@ -1686,7 +1686,7 @@ xblock[django]==1.6.2 # xblock-google-drive # xblock-poll # xblock-utils -xblock-drag-and-drop-v2==3.0.0 +xblock-drag-and-drop-v2==3.1.0 # via -r requirements/edx/testing.txt xblock-google-drive==0.3.0 # via -r requirements/edx/testing.txt diff --git a/requirements/edx/pip.txt b/requirements/edx/pip.txt index 977c450c59..d3d8f5af35 100644 --- a/requirements/edx/pip.txt +++ b/requirements/edx/pip.txt @@ -4,9 +4,11 @@ # # make upgrade # +wheel==0.38.4 + # via -r requirements/edx/pip.in + +# The following packages are considered to be unsafe in a requirements file: pip==23.0 # via -r requirements/edx/pip.in setuptools==67.1.0 # via -r requirements/edx/pip.in -wheel==0.38.4 - # via -r requirements/edx/pip.in diff --git a/requirements/edx/testing.txt b/requirements/edx/testing.txt index 5c484ed8d7..6691698cb9 100644 --- a/requirements/edx/testing.txt +++ b/requirements/edx/testing.txt @@ -1558,7 +1558,7 @@ xblock[django]==1.6.2 # xblock-google-drive # xblock-poll # xblock-utils -xblock-drag-and-drop-v2==3.0.0 +xblock-drag-and-drop-v2==3.1.0 # via -r requirements/edx/base.txt xblock-google-drive==0.3.0 # via -r requirements/edx/base.txt