Merge pull request #308 from openedx/feanil/update_bleach

Feanil Patel · web-flow · commit ad661f700101 · 2023-02-01T12:10:36.000-05:00
feat!: Update to the latest version of bleach.
diff --git a/Changelog.md b/Changelog.md
@@ -1,11 +1,18 @@
 Drag and Drop XBlock changelog
 ==============================
 
+Version 3.1.0 (2023-01-31)
+--------------------------
+
+* Upgrade to be compatible with `bleach==6.0.0` and `bleach<6.0.0`
+* Make the dependency on the `css` extras explicit.
+
 Version 3.0.0 (2022-11-18)
 ---------------------------
 
-* Sanitize HTML tags to prevent XSS vulnerabilities.  
-  BREAKING CHANGE: Disallowed HTML tags (e.g. `<script>`) will no longer be rendered in LMS and Studio. 
+* Sanitize HTML tags to prevent XSS vulnerabilities.
+
+  BREAKING CHANGE: Disallowed HTML tags (e.g. `<script>`) will no longer be rendered in LMS and Studio.
 
 Version 2.7.0 (2022-11-15)
 ---------------------------
@@ -20,7 +27,7 @@ Version 2.6.0 (2022-10-24)
 Version 2.5.0 (2022-10-13)
 ---------------------------
 
-* Make the "Show Answer" condition customizable (like in the Problem XBlock). 
+* Make the "Show Answer" condition customizable (like in the Problem XBlock).
 
 Version 2.4.2 (2022-10-13)
 ---------------------------
diff --git a/drag_and_drop_v2/utils.py b/drag_and_drop_v2/utils.py
@@ -8,13 +8,7 @@
 
 import bleach
 
-try:
-    from bleach.css_sanitizer import CSSSanitizer
-except (ImportError, ModuleNotFoundError):
-    # pylint: disable=fixme
-    # TODO: The bleach library changes the way CSS Styles are cleaned in version 5.0.0. The edx-platform uses version
-    #  4.1.0 in Maple, so this import is handled within a try block. This can be removed for the Nutmeg release.
-    CSSSanitizer = None
+from bleach.css_sanitizer import CSSSanitizer
 
 
 def _(text):
@@ -37,7 +31,8 @@ def _clean_data(data):
     return cleaned_text
 
 
-ALLOWED_TAGS = bleach.ALLOWED_TAGS + [
+# Convert `bleach.ALLOWED_TAGS` to a set because it is a list in `bleach<6.0.0`.
+ALLOWED_TAGS = set(bleach.ALLOWED_TAGS) | {
     'br',
     'caption',
     'dd',
@@ -68,7 +63,7 @@ def _clean_data(data):
     'thead',
     'tr',
     'u',
-]
+}
 ALLOWED_ATTRIBUTES = {
     '*': ['class', 'style', 'id'],
     'a': ['href', 'title', 'target', 'rel'],
@@ -79,54 +74,6 @@ def _clean_data(data):
     'table': ['border', 'cellspacing', 'cellpadding'],
     'td': ['style', 'scope'],
 }
-ALLOWED_STYLES = [
-    "azimuth",
-    "background-color",
-    "border-bottom-color",
-    "border-collapse",
-    "border-color",
-    "border-left-color",
-    "border-right-color",
-    "border-top-color",
-    "clear",
-    "color",
-    "cursor",
-    "direction",
-    "display",
-    "elevation",
-    "float",
-    "font",
-    "font-family",
-    "font-size",
-    "font-style",
-    "font-variant",
-    "font-weight",
-    "height",
-    "letter-spacing",
-    "line-height",
-    "overflow",
-    "pause",
-    "pause-after",
-    "pause-before",
-    "pitch",
-    "pitch-range",
-    "richness",
-    "speak",
-    "speak-header",
-    "speak-numeral",
-    "speak-punctuation",
-    "speech-rate",
-    "stress",
-    "text-align",
-    "text-decoration",
-    "text-indent",
-    "unicode-bidi",
-    "vertical-align",
-    "voice-family",
-    "volume",
-    "white-space",
-    "width",
-]
 
 
 def sanitize_html(raw_body: str) -> str:
@@ -139,14 +86,7 @@ def sanitize_html(raw_body: str) -> str:
         strip=True,
         attributes=ALLOWED_ATTRIBUTES,
     )
-    if CSSSanitizer:
-        bleach_options['css_sanitizer'] = CSSSanitizer()
-    else:
-        # pylint: disable=fixme
-        # TODO: This is maintaining backward compatibility with bleach 4.1.0 used in Maple release of edx-platform.
-        #  This can be removed for the Nutmeg release which uses bleach 5.0.0
-        bleach_options['styles'] = ALLOWED_STYLES
-
+    bleach_options['css_sanitizer'] = CSSSanitizer()
     return bleach.clean(raw_body, **bleach_options)
 
 
diff --git a/requirements.txt b/requirements.txt
@@ -4,7 +4,7 @@ edx-i18n-tools==0.4.7
 pycodestyle==2.6.0
 django-statici18n==1.9.0
 transifex-client==0.14.2
-bleach==3.3.1
+bleach[css]==6.0.0
 xblock-utils==1.2.2
 selenium==2.53.6
 pylint==2.4.2
diff --git a/setup.py b/setup.py
@@ -23,13 +23,13 @@ def package_data(pkg, root_list):
 
 setup(
     name='xblock-drag-and-drop-v2',
-    version='3.0.0',
+    version='3.1.0',
     description='XBlock - Drag-and-Drop v2',
     packages=['drag_and_drop_v2'],
     install_requires=[
         'XBlock',
         'xblock-utils',
-        'bleach',
+        'bleach[css]',
     ],
     entry_points={
         'xblock.v1': 'drag-and-drop-v2 = drag_and_drop_v2:DragAndDropBlock',
diff --git a/tests/integration/test_custom_data_render.py b/tests/integration/test_custom_data_render.py
@@ -22,7 +22,7 @@ def test_items_rendering(self):
         self.assertEqual(len(items), 3)
         self.assertIn('<b>1</b>', self.get_element_html(items[0]))
         self.assertIn('<i>2</i>', self.get_element_html(items[1]))
-        self.assertIn('<span style="color: red;">X</span>', self.get_element_html(items[2]))
+        self.assertIn('<span style="color:red;">X</span>', self.get_element_html(items[2]))
 
     def test_html_title_renders_properly(self):
         """
