<?xml version="1.0" encoding="ascii"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>genshi.filters.html.HTMLSanitizer</title>
<link rel="stylesheet" href="epydoc.css" type="text/css" />
<script type="text/javascript" src="epydoc.js"></script>
</head>
<body bgcolor="white" text="black" link="blue" vlink="#204080"
alink="#204080">
<!-- ==================== NAVIGATION BAR ==================== -->
<table class="navbar" border="0" width="100%" cellpadding="0"
bgcolor="#a0c0ff" cellspacing="0">
<tr valign="middle">
<!-- Home link -->
<th> <a
href="genshi-module.html">Home</a> </th>
<!-- Tree link -->
<th> <a
href="module-tree.html">Trees</a> </th>
<!-- Index link -->
<th> <a
href="identifier-index.html">Indices</a> </th>
<!-- Help link -->
<th> <a
href="help.html">Help</a> </th>
<!-- Project homepage -->
<th class="navbar" align="right" width="100%">
<table border="0" cellpadding="0" cellspacing="0">
<tr><th class="navbar" align="center"
><a class="navbar" target="_top" href="../index.html">Documentation Index</a></th>
</tr></table></th>
</tr>
</table>
<table width="100%" cellpadding="0" cellspacing="0">
<tr valign="top">
<td width="100%">
<span class="breadcrumbs">
<a href="genshi-module.html">Package genshi</a> ::
<a href="genshi.filters-module.html">Package filters</a> ::
<a href="genshi.filters.html-module.html">Module html</a> ::
Class HTMLSanitizer
</span>
</td>
<td>
<table cellpadding="0" cellspacing="0">
<!-- hide/show private -->
</table>
</td>
</tr>
</table>
<!-- ==================== CLASS DESCRIPTION ==================== -->
<h1 class="epydoc">Class HTMLSanitizer</h1><p class="nomargin-top"></p>
<pre class="base-tree">
object --+
|
<strong class="uidshort">HTMLSanitizer</strong>
</pre>
<hr />
<p>A filter that removes potentially dangerous HTML tags and attributes
from the stream.</p>
<pre class="py-doctest">
<span class="py-prompt">>>> </span><span class="py-keyword">from</span> genshi <span class="py-keyword">import</span> HTML
<span class="py-prompt">>>> </span>html = HTML(<span class="py-string">'<div><script>alert(document.cookie)</script></div>'</span>, encoding=<span class="py-string">'utf-8'</span>)
<span class="py-prompt">>>> </span><span class="py-keyword">print</span>(html | HTMLSanitizer())
<span class="py-output"><div/></span></pre>
<p>The default set of safe tags and attributes can be modified when the filter
is instantiated. For example, to allow inline <tt class="rst-docutils literal">style</tt> attributes, the
following instantation would work:</p>
<pre class="py-doctest">
<span class="py-prompt">>>> </span>html = HTML(<span class="py-string">'<div style="background: #000"></div>'</span>, encoding=<span class="py-string">'utf-8'</span>)
<span class="py-prompt">>>> </span>sanitizer = HTMLSanitizer(safe_attrs=HTMLSanitizer.SAFE_ATTRS | set([<span class="py-string">'style'</span>]))
<span class="py-prompt">>>> </span><span class="py-keyword">print</span>(html | sanitizer)
<span class="py-output"><div style="background: #000"/></span></pre>
<p>Note that even in this case, the filter <em>does</em> attempt to remove dangerous
constructs from style attributes:</p>
<pre class="py-doctest">
<span class="py-prompt">>>> </span>html = HTML(<span class="py-string">'<div style="background: url(javascript:void); color: #000"></div>'</span>, encoding=<span class="py-string">'utf-8'</span>)
<span class="py-prompt">>>> </span><span class="py-keyword">print</span>(html | sanitizer)
<span class="py-output"><div style="color: #000"/></span></pre>
<p>This handles HTML entities, unicode escapes in CSS and Javascript text, as
well as a lot of other things. However, the style tag is still excluded by
default because it is very hard for such sanitizing to be completely safe,
especially considering how much error recovery current web browsers perform.</p>
<p>It also does some basic filtering of CSS properties that may be used for
typical phishing attacks. For more sophisticated filtering, this class
provides a couple of hooks that can be overridden in sub-classes.</p>
<hr />
<div class="fields"> <p><strong>Warning:</strong>
Note that this special processing of CSS is currently only applied to
style attributes, <strong>not</strong> style elements.
</p>
</div><!-- ==================== INSTANCE METHODS ==================== -->
<a name="section-InstanceMethods"></a>
<table class="summary" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr bgcolor="#70b0f0" class="table-header">
<td align="left" colspan="2" class="table-header">
<span class="table-header">Instance Methods</span></td>
</tr>
<tr>
<td width="15%" align="right" valign="top" class="summary">
<span class="summary-type"> </span>
</td><td class="summary">
<table width="100%" cellpadding="0" cellspacing="0" border="0">
<tr>
<td><span class="summary-sig"><a href="genshi.filters.html.HTMLSanitizer-class.html#__init__" class="summary-sig-name">__init__</a>(<span class="summary-sig-arg">self</span>,
<span class="summary-sig-arg">safe_tags</span>=<span class="summary-sig-default"><code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">a</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">abbr</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">acronym</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">address</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">area</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">b</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">bi</code><code class="variable-ellipsis">...</code></span>,
<span class="summary-sig-arg">safe_attrs</span>=<span class="summary-sig-default"><code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">abbr</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">accept</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">accept-charset</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">accesskey</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">a</code><code class="variable-ellipsis">...</code></span>,
<span class="summary-sig-arg">safe_schemes</span>=<span class="summary-sig-default"><code class="variable-group">frozenset([</code>None<code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">file</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">ftp</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">http</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">https</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">mailto</code><code class="variable-quote">'</code><code class="variable-group">])</code></span>,
<span class="summary-sig-arg">uri_attrs</span>=<span class="summary-sig-default"><code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">action</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">background</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">dynsrc</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">href</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">lowsrc</code><code class="variable-quote">'</code><code class="variable-op">,</code><code class="variable-ellipsis">...</code></span>,
<span class="summary-sig-arg">safe_css</span>=<span class="summary-sig-default"><code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">background</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">background-attachment</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">background-</code><code class="variable-ellipsis">...</code></span>)</span><br />
Create the sanitizer.</td>
<td align="right" valign="top">
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td width="15%" align="right" valign="top" class="summary">
<span class="summary-type"> </span>
</td><td class="summary">
<table width="100%" cellpadding="0" cellspacing="0" border="0">
<tr>
<td><span class="summary-sig"><a href="genshi.filters.html.HTMLSanitizer-class.html#__call__" class="summary-sig-name">__call__</a>(<span class="summary-sig-arg">self</span>,
<span class="summary-sig-arg">stream</span>)</span><br />
Apply the filter to the given stream.</td>
<td align="right" valign="top">
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td width="15%" align="right" valign="top" class="summary">
<span class="summary-type">bool</span>
</td><td class="summary">
<table width="100%" cellpadding="0" cellspacing="0" border="0">
<tr>
<td><span class="summary-sig"><a href="genshi.filters.html.HTMLSanitizer-class.html#is_safe_css" class="summary-sig-name">is_safe_css</a>(<span class="summary-sig-arg">self</span>,
<span class="summary-sig-arg">propname</span>,
<span class="summary-sig-arg">value</span>)</span><br />
Determine whether the given css property declaration is to be
considered safe for inclusion in the output.</td>
<td align="right" valign="top">
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td width="15%" align="right" valign="top" class="summary">
<span class="summary-type">bool</span>
</td><td class="summary">
<table width="100%" cellpadding="0" cellspacing="0" border="0">
<tr>
<td><span class="summary-sig"><a href="genshi.filters.html.HTMLSanitizer-class.html#is_safe_elem" class="summary-sig-name">is_safe_elem</a>(<span class="summary-sig-arg">self</span>,
<span class="summary-sig-arg">tag</span>,
<span class="summary-sig-arg">attrs</span>)</span><br />
Determine whether the given element should be considered safe for
inclusion in the output.</td>
<td align="right" valign="top">
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td width="15%" align="right" valign="top" class="summary">
<span class="summary-type"><code class="link">bool</code></span>
</td><td class="summary">
<table width="100%" cellpadding="0" cellspacing="0" border="0">
<tr>
<td><span class="summary-sig"><a href="genshi.filters.html.HTMLSanitizer-class.html#is_safe_uri" class="summary-sig-name">is_safe_uri</a>(<span class="summary-sig-arg">self</span>,
<span class="summary-sig-arg">uri</span>)</span><br />
Determine whether the given URI is to be considered safe for
inclusion in the output.</td>
<td align="right" valign="top">
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td width="15%" align="right" valign="top" class="summary">
<span class="summary-type"><code class="link">list</code></span>
</td><td class="summary">
<table width="100%" cellpadding="0" cellspacing="0" border="0">
<tr>
<td><span class="summary-sig"><a href="genshi.filters.html.HTMLSanitizer-class.html#sanitize_css" class="summary-sig-name">sanitize_css</a>(<span class="summary-sig-arg">self</span>,
<span class="summary-sig-arg">text</span>)</span><br />
Remove potentially dangerous property declarations from CSS code.</td>
<td align="right" valign="top">
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td colspan="2" class="summary">
<p class="indent-wrapped-lines"><b>Inherited from <code>object</code></b>:
<code>__delattr__</code>,
<code>__format__</code>,
<code>__getattribute__</code>,
<code>__hash__</code>,
<code>__new__</code>,
<code>__reduce__</code>,
<code>__reduce_ex__</code>,
<code>__repr__</code>,
<code>__setattr__</code>,
<code>__sizeof__</code>,
<code>__str__</code>,
<code>__subclasshook__</code>
</p>
</td>
</tr>
</table>
<!-- ==================== CLASS VARIABLES ==================== -->
<a name="section-ClassVariables"></a>
<table class="summary" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr bgcolor="#70b0f0" class="table-header">
<td align="left" colspan="2" class="table-header">
<span class="table-header">Class Variables</span></td>
</tr>
<tr>
<td width="15%" align="right" valign="top" class="summary">
<span class="summary-type"> </span>
</td><td class="summary">
<a href="genshi.filters.html.HTMLSanitizer-class.html#SAFE_TAGS" class="summary-name">SAFE_TAGS</a> = <code title="frozenset(['a',
'abbr',
'acronym',
'address',
'area',
'b',
'big',
'blockquote',
..."><code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">a</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">abbr</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">acronym</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">address</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">are</code><code class="variable-ellipsis">...</code></code>
</td>
</tr>
<tr>
<td width="15%" align="right" valign="top" class="summary">
<span class="summary-type"> </span>
</td><td class="summary">
<a href="genshi.filters.html.HTMLSanitizer-class.html#SAFE_ATTRS" class="summary-name">SAFE_ATTRS</a> = <code title="frozenset(['abbr',
'accept',
'accept-charset',
'accesskey',
'action',
'align',
'alt',
'axis',
..."><code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">abbr</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">accept</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">accept-charset</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">a</code><code class="variable-ellipsis">...</code></code>
</td>
</tr>
<tr>
<td width="15%" align="right" valign="top" class="summary">
<span class="summary-type"> </span>
</td><td class="summary">
<a href="genshi.filters.html.HTMLSanitizer-class.html#SAFE_CSS" class="summary-name">SAFE_CSS</a> = <code title="frozenset(['background',
'background-attachment',
'background-color',
'background-image',
'background-position',
'background-repeat',
'border',
'border-bottom',
..."><code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">background</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">background-attachment</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-ellipsis">...</code></code>
</td>
</tr>
<tr>
<td width="15%" align="right" valign="top" class="summary">
<span class="summary-type"> </span>
</td><td class="summary">
<a href="genshi.filters.html.HTMLSanitizer-class.html#SAFE_SCHEMES" class="summary-name">SAFE_SCHEMES</a> = <code title="frozenset([None, 'file', 'ftp', 'http', 'https', 'mailto'])"><code class="variable-group">frozenset([</code>None<code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">file</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">ftp</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">http</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">https</code><code class="variable-quote">'</code><code class="variable-ellipsis">...</code></code>
</td>
</tr>
<tr>
<td width="15%" align="right" valign="top" class="summary">
<span class="summary-type"> </span>
</td><td class="summary">
<a href="genshi.filters.html.HTMLSanitizer-class.html#URI_ATTRS" class="summary-name">URI_ATTRS</a> = <code title="frozenset(['action', 'background', 'dynsrc', 'href', 'lowsrc', 'src'])"><code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">action</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">background</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">dynsrc</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">href</code><code class="variable-ellipsis">...</code></code>
</td>
</tr>
</table>
<!-- ==================== PROPERTIES ==================== -->
<a name="section-Properties"></a>
<table class="summary" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr bgcolor="#70b0f0" class="table-header">
<td align="left" colspan="2" class="table-header">
<span class="table-header">Properties</span></td>
</tr>
<tr>
<td colspan="2" class="summary">
<p class="indent-wrapped-lines"><b>Inherited from <code>object</code></b>:
<code>__class__</code>
</p>
</td>
</tr>
</table>
<!-- ==================== METHOD DETAILS ==================== -->
<a name="section-MethodDetails"></a>
<table class="details" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr bgcolor="#70b0f0" class="table-header">
<td align="left" colspan="2" class="table-header">
<span class="table-header">Method Details</span></td>
</tr>
</table>
<a name="__init__"></a>
<div>
<table class="details" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr><td>
<table width="100%" cellpadding="0" cellspacing="0" border="0">
<tr valign="top"><td>
<h3 class="epydoc"><span class="sig"><span class="sig-name">__init__</span>(<span class="sig-arg">self</span>,
<span class="sig-arg">safe_tags</span>=<span class="sig-default"><code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">a</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">abbr</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">acronym</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">address</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">area</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">b</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">bi</code><code class="variable-ellipsis">...</code></span>,
<span class="sig-arg">safe_attrs</span>=<span class="sig-default"><code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">abbr</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">accept</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">accept-charset</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">accesskey</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">a</code><code class="variable-ellipsis">...</code></span>,
<span class="sig-arg">safe_schemes</span>=<span class="sig-default"><code class="variable-group">frozenset([</code>None<code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">file</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">ftp</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">http</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">https</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">mailto</code><code class="variable-quote">'</code><code class="variable-group">])</code></span>,
<span class="sig-arg">uri_attrs</span>=<span class="sig-default"><code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">action</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">background</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">dynsrc</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">href</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">lowsrc</code><code class="variable-quote">'</code><code class="variable-op">,</code><code class="variable-ellipsis">...</code></span>,
<span class="sig-arg">safe_css</span>=<span class="sig-default"><code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">background</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">background-attachment</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">background-</code><code class="variable-ellipsis">...</code></span>)</span>
<br /><em class="fname">(Constructor)</em>
</h3>
</td><td align="right" valign="top"
>
</td>
</tr></table>
<p>Create the sanitizer.</p>
<p>The exact set of allowed elements and attributes can be configured.</p>
<dl class="fields">
<dt>Parameters:</dt>
<dd><ul class="nomargin-top">
<li><strong class="pname"><code>safe_tags</code></strong> - a set of tag names that are considered safe</li>
<li><strong class="pname"><code>safe_attrs</code></strong> - a set of attribute names that are considered safe</li>
<li><strong class="pname"><code>safe_schemes</code></strong> - a set of URI schemes that are considered safe</li>
<li><strong class="pname"><code>uri_attrs</code></strong> - a set of names of attributes that contain URIs</li>
</ul></dd>
<dt>Overrides:
object.__init__
</dt>
</dl>
</td></tr></table>
</div>
<a name="__call__"></a>
<div>
<table class="details" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr><td>
<table width="100%" cellpadding="0" cellspacing="0" border="0">
<tr valign="top"><td>
<h3 class="epydoc"><span class="sig"><span class="sig-name">__call__</span>(<span class="sig-arg">self</span>,
<span class="sig-arg">stream</span>)</span>
<br /><em class="fname">(Call operator)</em>
</h3>
</td><td align="right" valign="top"
>
</td>
</tr></table>
Apply the filter to the given stream.
<dl class="fields">
<dt>Parameters:</dt>
<dd><ul class="nomargin-top">
<li><strong class="pname"><code>stream</code></strong> - the markup event stream to filter</li>
</ul></dd>
</dl>
</td></tr></table>
</div>
<a name="is_safe_css"></a>
<div>
<table class="details" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr><td>
<table width="100%" cellpadding="0" cellspacing="0" border="0">
<tr valign="top"><td>
<h3 class="epydoc"><span class="sig"><span class="sig-name">is_safe_css</span>(<span class="sig-arg">self</span>,
<span class="sig-arg">propname</span>,
<span class="sig-arg">value</span>)</span>
</h3>
</td><td align="right" valign="top"
>
</td>
</tr></table>
Determine whether the given css property declaration is to be
considered safe for inclusion in the output.
<dl class="fields">
<dt>Parameters:</dt>
<dd><ul class="nomargin-top">
<li><strong class="pname"><code>propname</code></strong> - the CSS property name</li>
<li><strong class="pname"><code>value</code></strong> - the value of the property</li>
</ul></dd>
<dt>Returns: bool</dt>
<dd>whether the property value should be considered safe</dd>
</dl>
<div class="fields"> <p><strong>Since:</strong>
version 0.6
</p>
</div></td></tr></table>
</div>
<a name="is_safe_elem"></a>
<div>
<table class="details" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr><td>
<table width="100%" cellpadding="0" cellspacing="0" border="0">
<tr valign="top"><td>
<h3 class="epydoc"><span class="sig"><span class="sig-name">is_safe_elem</span>(<span class="sig-arg">self</span>,
<span class="sig-arg">tag</span>,
<span class="sig-arg">attrs</span>)</span>
</h3>
</td><td align="right" valign="top"
>
</td>
</tr></table>
Determine whether the given element should be considered safe for
inclusion in the output.
<dl class="fields">
<dt>Parameters:</dt>
<dd><ul class="nomargin-top">
<li><strong class="pname"><code>tag</code></strong> (QName) - the tag name of the element</li>
<li><strong class="pname"><code>attrs</code></strong> (Attrs) - the element attributes</li>
</ul></dd>
<dt>Returns: bool</dt>
<dd>whether the element should be considered safe</dd>
</dl>
<div class="fields"> <p><strong>Since:</strong>
version 0.6
</p>
</div></td></tr></table>
</div>
<a name="is_safe_uri"></a>
<div>
<table class="details" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr><td>
<table width="100%" cellpadding="0" cellspacing="0" border="0">
<tr valign="top"><td>
<h3 class="epydoc"><span class="sig"><span class="sig-name">is_safe_uri</span>(<span class="sig-arg">self</span>,
<span class="sig-arg">uri</span>)</span>
</h3>
</td><td align="right" valign="top"
>
</td>
</tr></table>
<p>Determine whether the given URI is to be considered safe for
inclusion in the output.</p>
<p>The default implementation checks whether the scheme of the URI is in
the set of allowed URIs (<code class="link">safe_schemes</code>).</p>
<pre class="py-doctest">
<span class="py-prompt">>>> </span>sanitizer = HTMLSanitizer()
<span class="py-prompt">>>> </span>sanitizer.is_safe_uri(<span class="py-string">'http://example.org/'</span>)
<span class="py-output">True</span>
<span class="py-output"></span><span class="py-prompt">>>> </span>sanitizer.is_safe_uri(<span class="py-string">'javascript:alert(document.cookie)'</span>)
<span class="py-output">False</span></pre>
<dl class="fields">
<dt>Parameters:</dt>
<dd><ul class="nomargin-top">
<li><strong class="pname"><code>uri</code></strong> - the URI to check</li>
</ul></dd>
<dt>Returns: <code class="link">bool</code></dt>
<dd><code class="link">True</code> if the URI can be considered safe, <code class="link">False</code> otherwise</dd>
</dl>
<div class="fields"> <p><strong>Since:</strong>
version 0.4.3
</p>
</div></td></tr></table>
</div>
<a name="sanitize_css"></a>
<div>
<table class="details" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr><td>
<table width="100%" cellpadding="0" cellspacing="0" border="0">
<tr valign="top"><td>
<h3 class="epydoc"><span class="sig"><span class="sig-name">sanitize_css</span>(<span class="sig-arg">self</span>,
<span class="sig-arg">text</span>)</span>
</h3>
</td><td align="right" valign="top"
>
</td>
</tr></table>
<p>Remove potentially dangerous property declarations from CSS code.</p>
<p>In particular, properties using the CSS <tt class="rst-docutils literal">url()</tt> function with a scheme
that is not considered safe are removed:</p>
<pre class="py-doctest">
<span class="py-prompt">>>> </span>sanitizer = HTMLSanitizer()
<span class="py-prompt">>>> </span>sanitizer.sanitize_css(u<span class="py-string">'''</span>
<span class="py-more">... </span><span class="py-string"> background: url(javascript:alert("foo"));</span>
<span class="py-more">... </span><span class="py-string"> color: #000;</span>
<span class="py-more">... </span><span class="py-string">'''</span>)
<span class="py-output">[u'color: #000']</span></pre>
<p>Also, the proprietary Internet Explorer function <tt class="rst-docutils literal">expression()</tt> is
always stripped:</p>
<pre class="py-doctest">
<span class="py-prompt">>>> </span>sanitizer.sanitize_css(u<span class="py-string">'''</span>
<span class="py-more">... </span><span class="py-string"> background: #fff;</span>
<span class="py-more">... </span><span class="py-string"> color: #000;</span>
<span class="py-more">... </span><span class="py-string"> width: e/**/xpression(alert("foo"));</span>
<span class="py-more">... </span><span class="py-string">'''</span>)
<span class="py-output">[u'background: #fff', u'color: #000']</span></pre>
<dl class="fields">
<dt>Parameters:</dt>
<dd><ul class="nomargin-top">
<li><strong class="pname"><code>text</code></strong> - the CSS text; this is expected to be <code class="link">unicode</code> and to not
contain any character or numeric references</li>
</ul></dd>
<dt>Returns: <code class="link">list</code></dt>
<dd>a list of declarations that are considered safe</dd>
</dl>
<div class="fields"> <p><strong>Since:</strong>
version 0.4.3
</p>
</div></td></tr></table>
</div>
<br />
<!-- ==================== CLASS VARIABLE DETAILS ==================== -->
<a name="section-ClassVariableDetails"></a>
<table class="details" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr bgcolor="#70b0f0" class="table-header">
<td align="left" colspan="2" class="table-header">
<span class="table-header">Class Variable Details</span></td>
</tr>
</table>
<a name="SAFE_TAGS"></a>
<div>
<table class="details" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr><td>
<h3 class="epydoc">SAFE_TAGS</h3>
<dl class="fields">
</dl>
<dl class="fields">
<dt>Value:</dt>
<dd><table><tr><td><pre class="variable">
<code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">a</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">abbr</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">acronym</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">address</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">area</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">b</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">big</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">blockquote</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-ellipsis">...</code>
</pre></td></tr></table>
</dd>
</dl>
</td></tr></table>
</div>
<a name="SAFE_ATTRS"></a>
<div>
<table class="details" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr><td>
<h3 class="epydoc">SAFE_ATTRS</h3>
<dl class="fields">
</dl>
<dl class="fields">
<dt>Value:</dt>
<dd><table><tr><td><pre class="variable">
<code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">abbr</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">accept</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">accept-charset</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">accesskey</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">action</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">align</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">alt</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">axis</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-ellipsis">...</code>
</pre></td></tr></table>
</dd>
</dl>
</td></tr></table>
</div>
<a name="SAFE_CSS"></a>
<div>
<table class="details" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr><td>
<h3 class="epydoc">SAFE_CSS</h3>
<dl class="fields">
</dl>
<dl class="fields">
<dt>Value:</dt>
<dd><table><tr><td><pre class="variable">
<code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">background</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">background-attachment</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">background-color</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">background-image</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">background-position</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">background-repeat</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">border</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-quote">'</code><code class="variable-string">border-bottom</code><code class="variable-quote">'</code><code class="variable-op">,</code>
<code class="variable-ellipsis">...</code>
</pre></td></tr></table>
</dd>
</dl>
</td></tr></table>
</div>
<a name="SAFE_SCHEMES"></a>
<div>
<table class="details" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr><td>
<h3 class="epydoc">SAFE_SCHEMES</h3>
<dl class="fields">
</dl>
<dl class="fields">
<dt>Value:</dt>
<dd><table><tr><td><pre class="variable">
<code class="variable-group">frozenset([</code>None<code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">file</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">ftp</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">http</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">https</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">mailto</code><code class="variable-quote">'</code><code class="variable-group">])</code>
</pre></td></tr></table>
</dd>
</dl>
</td></tr></table>
</div>
<a name="URI_ATTRS"></a>
<div>
<table class="details" border="1" cellpadding="3"
cellspacing="0" width="100%" bgcolor="white">
<tr><td>
<h3 class="epydoc">URI_ATTRS</h3>
<dl class="fields">
</dl>
<dl class="fields">
<dt>Value:</dt>
<dd><table><tr><td><pre class="variable">
<code class="variable-group">frozenset([</code><code class="variable-quote">'</code><code class="variable-string">action</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">background</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">dynsrc</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">href</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">lowsrc</code><code class="variable-quote">'</code><code class="variable-op">, </code><code class="variable-quote">'</code><code class="variable-string">src</code><code class="variable-quote">'</code><code class="variable-group">])</code>
</pre></td></tr></table>
</dd>
</dl>
</td></tr></table>
</div>
<br />
<!-- ==================== NAVIGATION BAR ==================== -->
<table class="navbar" border="0" width="100%" cellpadding="0"
bgcolor="#a0c0ff" cellspacing="0">
<tr valign="middle">
<!-- Home link -->
<th> <a
href="genshi-module.html">Home</a> </th>
<!-- Tree link -->
<th> <a
href="module-tree.html">Trees</a> </th>
<!-- Index link -->
<th> <a
href="identifier-index.html">Indices</a> </th>
<!-- Help link -->
<th> <a
href="help.html">Help</a> </th>
<!-- Project homepage -->
<th class="navbar" align="right" width="100%">
<table border="0" cellpadding="0" cellspacing="0">
<tr><th class="navbar" align="center"
><a class="navbar" target="_top" href="../index.html">Documentation Index</a></th>
</tr></table></th>
</tr>
</table>
<table border="0" cellpadding="0" cellspacing="0" width="100%%">
<tr>
<td align="left" class="footer">
Generated by Epydoc 3.0.1 on Sun Jan 27 18:17:20 2013
</td>
<td align="right" class="footer">
<a target="mainFrame" href="http://epydoc.sourceforge.net"
>http://epydoc.sourceforge.net</a>
</td>
</tr>
</table>
<script type="text/javascript">
<!--
// Private objects are initially displayed (because if
// javascript is turned off then we want them to be
// visible); but by default, we want to hide them. So hide
// them unless we have a cookie that says to show them.
checkCookie();
// -->
</script>
</body>
</html>
