Bump bluemonday to 1.0.18

.github/workflows/build.yml

@@ -43,7 +43,7 @@ jobs:
         if: runner.os == 'Linux'
         env:
           CIBW_BUILD: cp3?-*
-          CIBW_SKIP: "cp35-* *-win32 *-manylinux_i686 *-manylinux_aarch64 *-manylinux_ppc64le *-manylinux_s390x"
+          CIBW_SKIP: "cp35-* *-win32 *-musllinux_* *-manylinux_i686 *-manylinux_aarch64 *-manylinux_ppc64le *-manylinux_s390x"
           CIBW_BUILD_VERBOSITY: 1
         run: |
           python setup.py sdist
@@ -54,6 +54,7 @@ jobs:
         env:
           CIBW_ARCHS_LINUX: i686
           CIBW_BUILD_VERBOSITY: 1
+          CIBW_SKIP: "*-musllinux_*"
         run: |
           python3 -m cibuildwheel --output-dir wheelhouse
 
@@ -62,6 +63,7 @@ jobs:
         env:
           CIBW_ARCHS_LINUX: aarch64
           CIBW_BUILD_VERBOSITY: 1
+          CIBW_SKIP: "*-musllinux_*"
         run: |
           python3 -m cibuildwheel --output-dir wheelhouse
 

.github/workflows/test.yml

@@ -9,7 +9,7 @@ jobs:
 
     strategy:
       matrix:
-        python-version: ['3.6', '3.7', '3.8', '3.9']
+        python-version: ['3.6', '3.7', '3.8', '3.9', '3.10']
 
     name: Python ${{ matrix.python-version }}
     steps:

CHANGELOG.md

@@ -1,3 +1,10 @@
+# 0.0.9 / 2022-02-11
+
+- Bump bluemonday to 1.0.18
+- Implement rough support for `RequireSandboxOnIFrame` by having an approach to call functions that take typed arguments
+  - This doesn't work entirely because currently only a single call to `RequireSandboxOnIFrame` will work but it will suffice until this behavior is actually needed.
+- Build wheels for Python 3.10 (Closes #29)
+
 # 0.0.8 / 2021-10-18
 
 - Bump bluemonday version to 1.0.16

bluemonday.go

@@ -156,6 +156,25 @@ func CallPolicyFunctionWithBool(policyId C.ulong, method *C.char, argument C.uin
 	meth.Call(args)
 }
 
+//export CallPolicyFunctionWithInt
+func CallPolicyFunctionWithInt(policyId C.ulong, method *C.char, argtype *C.char, argument C.uint) {
+	goPolicyId := uint32(policyId)
+	goMethod := C.GoString(method)
+	goArgType := C.GoString(argtype)
+	goArgument := int(argument)
+	policy := POLICIES[goPolicyId]
+
+	switch goArgType {
+	case "SandboxValue":
+		sv := bluemonday.SandboxValue(goArgument)
+		args := []reflect.Value{reflect.ValueOf(sv)}
+		meth := reflect.ValueOf(policy).MethodByName(goMethod)
+		meth.Call(args)
+	default:
+		panic("Unknown argument type function")
+	}
+}
+
 //export SanitizeWithPolicy
 func SanitizeWithPolicy(policyId C.ulong, document *C.char) *C.char {
 	goPolicyId := uint32(policyId)

build_ffi.py

@@ -29,6 +29,8 @@
 
 extern void CallPolicyFunctionWithBool(long unsigned int p0, char* p1, unsigned int p2);
 
+extern void CallPolicyFunctionWithInt(long unsigned int policyId, char* method, char* argtype, unsigned int argument);
+
 extern char* SanitizeWithPolicy(long unsigned int p0, char* p1);
 
 extern void FreeCString(char* p0);

development.txt

@@ -1,9 +1,9 @@
 setuptools-golang==2.3.0
-wheel==0.36.1
+wheel==0.37.1
 cffi==1.14.5
 black==20.8b1
 isort==5.6.4
 twine==3.1.1
-pytest==6.1.2
+pytest==6.2.5
 psutil==5.7.3
-cibuildwheel==1.10.0
+cibuildwheel==2.3.1

go.mod

@@ -2,4 +2,7 @@ module pybluemonday
 
 go 1.14
 
-require github.com/microcosm-cc/bluemonday v1.0.16
+require (
+	github.com/microcosm-cc/bluemonday v1.0.18
+	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
+)

go.sum

@@ -2,12 +2,18 @@ github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuP
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
 github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
 github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
-github.com/microcosm-cc/bluemonday v1.0.16 h1:kHmAq2t7WPWLjiGvzKa5o3HzSfahUKiOq7fAPUiMNIc=
-github.com/microcosm-cc/bluemonday v1.0.16/go.mod h1:Z0r70sCuXHig8YpBzCc5eGHAap2K7e/u082ZUpDRRqM=
+github.com/microcosm-cc/bluemonday v1.0.18 h1:6HcxvXDAi3ARt3slx6nTesbvorIc3QeTzBNRvWktHBo=
+github.com/microcosm-cc/bluemonday v1.0.18/go.mod h1:Z0r70sCuXHig8YpBzCc5eGHAap2K7e/u082ZUpDRRqM=
 golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q=
 golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

pybluemonday/__init__.py

@@ -1,9 +1,28 @@
+from enum import IntEnum, unique
 from typing import List
 from unicodedata import normalize
 
 from pybluemonday.bluemonday import ffi, lib
 
-__version__ = "0.0.8"
+__version__ = "0.0.9"
+
+
+@unique
+class SandboxValue(IntEnum):
+    SandboxAllowDownloads = 0
+    SandboxAllowDownloadsWithoutUserActivation = 1
+    SandboxAllowForms = 2
+    SandboxAllowModals = 3
+    SandboxAllowOrientationLock = 4
+    SandboxAllowPointerLock = 5
+    SandboxAllowPopups = 6
+    SandboxAllowPopupsToEscapeSandbox = 7
+    SandboxAllowPresentation = 8
+    SandboxAllowSameOrigin = 9
+    SandboxAllowScripts = 10
+    SandboxAllowStorageAccessByUserActivation = 11
+    SandboxAllowTopNavigation = 12
+    SandboxAllowTopNavigationByUserActivation = 13
 
 
 class AttrPolicyBuilder:
@@ -80,6 +99,14 @@ def method(*args):
                 elif isinstance(args[0], bool):
                     bool_arg = int(args[0])
                     lib.CallPolicyFunctionWithBool(self._id, method_name, bool_arg)
+                elif isinstance(args[0], IntEnum):
+                    enum_arg = args[0]
+                    # Get name of the enum to infer what underlying Go type we need
+                    enum_name = enum_arg.__class__.__name__.encode()
+                    int_arg = int(enum_arg)
+                    lib.CallPolicyFunctionWithInt(
+                        self._id, method_name, enum_name, int_arg
+                    )
             else:
                 lib.CallPolicyFunction(self._id, method_name)
 

tests/bluemonday/test_sanitize.py

@@ -1,4 +1,4 @@
-from pybluemonday import UGCPolicy, StrictPolicy, NewPolicy
+from pybluemonday import UGCPolicy, StrictPolicy, NewPolicy, SandboxValue
 from collections import namedtuple
 from multiprocessing.pool import ThreadPool, Pool
 
@@ -149,3 +149,37 @@ def test_selectStyleBug():
         p.sanitize("<select><option><style><script>alert(1)</script>")
         == "<select><option><style><script>alert(1)</script>"
     )
+
+
+def test_IFrameSandbox():
+    # Test updates from bluemonday v1.0.17
+    p = NewPolicy()
+    p.AllowAttrs("sandbox").OnElements("iframe")
+    input = """<iframe src="http://example.com" sandbox="allow-forms allow-downloads allow-downloads"></iframe>"""
+    out = """<iframe sandbox="allow-forms allow-downloads allow-downloads"></iframe>"""
+    assert p.sanitize(input) == out
+
+
+def test_IFrameSandboxAttribute():
+    # Test updates from bluemonday v1.0.17
+    p = NewPolicy()
+    p.AllowIFrames()
+    input = """<iframe src="http://example.com" sandbox="allow-forms allow-downloads allow-downloads"></iframe>"""
+    out = """<iframe sandbox=""></iframe>"""
+    assert p.sanitize(input) == out
+
+    p = NewPolicy()
+    p.AllowIFrames()
+    input = """<iframe src="http://example.com" sandbox="allow-forms allow-downloads allow-downloads"></iframe>"""
+    out = """<iframe sandbox=""></iframe>"""
+    assert p.sanitize(input) == out
+
+    p.RequireSandboxOnIFrame(SandboxValue.SandboxAllowDownloads)
+    input = """<iframe src="http://example.com" sandbox="allow-forms allow-downloads allow-downloads"></iframe>"""
+    out = """<iframe sandbox="allow-downloads"></iframe>"""
+    assert p.sanitize(input) == out
+
+    p.RequireSandboxOnIFrame(SandboxValue.SandboxAllowForms)
+    input = """<iframe src="http://example.com" sandbox="allow-forms allow-downloads allow-downloads"></iframe>"""
+    out = """<iframe sandbox="allow-forms"></iframe>"""
+    assert p.sanitize(input) == out