From c53c97cbfec7aaf3e9f018875779e0232ba294e9 Mon Sep 17 00:00:00 2001
From: Nicholas Bollweg <nick.bollweg@gmail.com>
Date: Fri, 8 Apr 2022 04:39:45 -0500
Subject: [PATCH] support bleach 5, add packaging and tinycss2 dependencies
 (#1755)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
---
 nbconvert/preprocessors/sanitize.py | 49 ++++++++++++++++++++++++++---
 setup.py                            | 22 +++++++------
 2 files changed, 57 insertions(+), 14 deletions(-)

diff --git a/nbconvert/preprocessors/sanitize.py b/nbconvert/preprocessors/sanitize.py
index 16c981a31..8361e69fb 100644
--- a/nbconvert/preprocessors/sanitize.py
+++ b/nbconvert/preprocessors/sanitize.py
@@ -2,11 +2,46 @@
 NBConvert Preprocessor for sanitizing HTML rendering of notebooks.
 """
 
-from bleach import ALLOWED_ATTRIBUTES, ALLOWED_STYLES, ALLOWED_TAGS, clean
+import warnings
+
+from bleach import ALLOWED_ATTRIBUTES, ALLOWED_TAGS, clean
 from traitlets import Any, Bool, List, Set, Unicode
 
+_USE_BLEACH_CSS_SANITIZER = False
+_USE_BLEACH_STYLES = False
+
+
+try:
+    # bleach[css] >=5.0
+    from bleach.css_sanitizer import ALLOWED_CSS_PROPERTIES as ALLOWED_STYLES
+    from bleach.css_sanitizer import CSSSanitizer
+
+    _USE_BLEACH_CSS_SANITIZER = True
+    _USE_BLEACH_STYLES = False
+except ImportError:
+    try:
+        # bleach <5
+        from bleach import ALLOWED_STYLES
+
+        _USE_BLEACH_CSS_SANITIZER = False
+        _USE_BLEACH_STYLES = True
+        warnings.warn(
+            "Support for bleach <5 will be removed in a future version of nbconvert",
+            DeprecationWarning,
+        )
+
+    except ImportError:
+        warnings.warn(
+            "The installed bleach/tinycss2 do not provide CSS sanitization, "
+            "please upgrade to bleach >=5",
+            UserWarning,
+        )
+
+
 from .base import Preprocessor
 
+__all__ = ["SanitizeHTML"]
+
 
 class SanitizeHTML(Preprocessor):
 
@@ -118,11 +153,17 @@ def sanitize_html_tags(self, html_str):
         """
         Sanitize a string containing raw HTML tags.
         """
-        return clean(
-            html_str,
+        kwargs = dict(
             tags=self.tags,
             attributes=self.attributes,
-            styles=self.styles,
             strip=self.strip,
             strip_comments=self.strip_comments,
         )
+
+        if _USE_BLEACH_CSS_SANITIZER:
+            css_sanitizer = CSSSanitizer(allowed_css_properties=self.styles)
+            kwargs.update(css_sanitizer=css_sanitizer)
+        elif _USE_BLEACH_STYLES:
+            kwargs.update(styles=self.styles)
+
+        return clean(html_str, **kwargs)
diff --git a/setup.py b/setup.py
index f3d91dabe..440823093 100644
--- a/setup.py
+++ b/setup.py
@@ -237,20 +237,22 @@ def get_data_files():
 )
 
 setup_args["install_requires"] = [
-    "mistune>=0.8.1,<2",
+    "beautifulsoup4",
+    "bleach",
+    "defusedxml",
+    "entrypoints>=0.2.2",
     "jinja2>=2.4",
-    "pygments>=2.4.1",
-    "jupyterlab_pygments",
-    "traitlets>=5.0",
     "jupyter_core",
+    "jupyterlab_pygments",
+    "MarkupSafe>=2.0",
+    "mistune>=0.8.1,<2",
+    "nbclient>=0.5.0,<0.6.0",
     "nbformat>=4.4",
-    "entrypoints>=0.2.2",
-    "bleach",
+    "packaging",
     "pandocfilters>=1.4.1",
-    "defusedxml",
-    "beautifulsoup4",
-    "nbclient>=0.5.0,<0.6.0",
-    "MarkupSafe>=2.0",
+    "pygments>=2.4.1",
+    "tinycss2",  # for bleach >=5
+    "traitlets>=5.0",
 ]
 
 pyppeteer_req = "pyppeteer>=1,<1.1"