h!6 HUddlZddlZddlZddlZddlZddlmZddlmZm Z ddl m Z ddl m Z ddlZddlmZddlmZddlmZej*d Zhd hd hd d ZddhZGddZeZeed<d.dedeededefdZiZde defdZ!d/de dede fdZ"d/dede jFded eddf d!Z$d/dede jFded eddf d"Z%d0d#ededefd$Z&ded%e'ddfd&Z(e(d'e$e(d(e% ddl)Z)dd)l*m+Z+d,Z-d.d-Z.y#e,$r Gd*d+Z*YwxYw)1N)deepcopy)OptionalUnion)apps)models)etree)Element)settingsz<[^>]*data-cms-[^>]*>>relhreftarget> render-pluginidaltnametypetitle>roleclassstyle)az cms-plugin*zdata-zaria-ceZdZdZ ddeeeeefdeeefdZdeee eeeefeedfffdZ y) NH3Parsera NH3Parser This class represents a HTML parser for sanitation using NH3. It provides methods to configure the NH3 sanitizer Attributes: - ALLOWED_TAGS: A set of allowed HTML tags. - ALLOWED_ATTRIBUTES: A dictionary mapping HTML tags to sets of allowed attributes for each tag. - generic_attribute_prefixes: A set of prefixes that can be used in attribute names to indicate generic attributes. Methods: - __init__: Initializes the NH3Parser object. Nadditional_attributesgeneric_attribute_prefixesc|t}|t}ttj|_ttj |_ttj ttjz|_||_ tjjD]\}}||vr |||z||<|||<|r|xj|jDchc] }|dk7s | c}zc_|jD]9\}}|j j|t|z|j |<;yycc}w)Nr)cms_additional_attributescms_generic_attribute_prefixesrnh3 ALLOWED_TAGSALLOWED_ATTRIBUTESALLOWED_URL_SCHEMESsetr TEXT_ADDITIONAL_PROTOCOLSrTEXT_ADDITIONAL_ATTRIBUTESitemskeysget)selfrrtag attributeskeys C/home/dcms/DCMS/lib/python3.12/site-packages/djangocms_text/html.py__init__zNH3Parser.__init__,sA ! ($= ! % -)G &&.s/?/?&@7?@V@V7W-5c6M6M-NQTU]UwUwQx-x 4N''BBHHJ 8OC++-B3-G*-T%c*-7%c*  8 !   1F1K1K1M!\#QTX[Q[#!\ \ #8#>#>#@ dZ/3/F/F/J/J3PSPU/VYc/c'', d !!\s ' E2Ereturncb|j|j|j|jddS)aq Return a dictionary containing the attributes, tags, generic_attribute_prefixes, and link_rel values for immediate passing to the nh3.clean function. :return: A dictionary with the following keys: - "attributes": A dictionary containing the allowed attributes setting. - "tags": The set of allowed tags. - "generic_attribute_prefixes": The set of generic attribute prefixes. - "link_rel": None The dictionary represents the allowed configurations for the method. :rtype: dict[str, Union[dict[str, set[str]], set[str], None]] N)r,tagsr url_schemeslink_rel)r"r!rr#)r*s r.__call__zNH3Parser.__call__Fs5 11%%*.*I*I33   NN) __name__ __module__ __qualname____doc__rdictstrr$r/rr5r6r.rrsy "@D9=d'S#c(](;<d%-SX$6d4 $sE$sCH}*=s3x*M$NNO r6r cms_parserdatafullcleanerr0ctjdur|S|tjdtd|xst }t j|fi|S)z Cleans HTML from XSS vulnerabilities using nh3 If full is False, only the contents inside will be returned (without the tags). Fz/full argument is deprecated and will be removed)category stacklevel)r TEXT_HTML_SANITIZEwarningswarnDeprecationWarningr?r clean)r@rArBs r. clean_htmlrLbsT""e+   =' #G 99T 'WY ''r6poolcL|r"ddj|jzSy)a Generate an xpath expression based on the given pool of attributes. :param pool: A dictionary of attributes to be included in the xpath expression. :type pool: dict :return: A string representing the xpath expression. :rtype: str z//*[@z] | //)joinr()rMs r. get_xpathrQzs$ tyy{333 r6r admin_objectscNi}|jD]\}}i||< tj|jddd}|rt |dr |j }n |j }|j|D]}||||j<|S#t$rYwxYw)a  Retrieve data from the database. Parameters: - models (dict): A dictionary mapping model names to lists of object IDs. - admin_objects (bool, optional): Flag indicating whether to retrieve latest admin objects (e.g., unpublished versions only visible in the admin). Defaults to False. Returns: - dict: A dictionary containing the retrieved data, with model names as keys and dictionaries of objects as values. The inner dictionaries have object IDs as keys and objects as values .NrD admin_manager)id__in) r'r get_modelsplithasattrrUobjectsfilterr Exception)rrRresultmodelids DjangoModelobjs r.get_data_from_dbrbsF"flln  su  ..%++c*:2A*>?Ko!F)77 )11 ")))5 ,(+u cff% ,  M   sA4B B$#B$elemraattr edit_modecd}t|dr#|j}|xsd|j|<|s*d|jd<|jdk(r |sd|_yyyy) a  Modifies an element's attribute to create a dynamic hyperlink based on the provided model object. In case the object has a "get_absolute_url" method, and it returns a non-empty value, the attribute of the element will be set to the URL returned by the method. Otherwise, the "data-cms-error" attribute of the element will be set to "ref-not-found". A hyperlink with a missing reference will be turned into a span element with a "data-cms-error" attribute set to "ref-not-found". :param elem: The element to modify. :type elem: Element :param obj: The model object to use for generating the hyperlink. :type obj: models.Model :param attr: The attribute name to set the generated hyperlink. :type attr: str :return: None rOget_absolute_url# ref-not-founddata-cms-errorrspanN)rYrgattribr+rcrardre target_values r. dynamic_hrefrosg&Ls&'++- (/C D (7 $% 88s?9DH$-? r6cd}t|dr/|j}|r|j|j|<|sd|jd<yy)a This method modifies the provided element by setting the value of the specified attribute based on the provided object. If the object has a "get_absolute_url" method, and it returns a non-empty value, the attribute of the element will be set to the URL returned by the method. Otherwise, the "data-cms-error" attribute of the XML element will be set to "ref-not-found". :param elem: The XML element to modify. :type elem: Element :param obj: The object to use as the source of the attribute value. :type obj: models.Model :param attr: The attribute name to modify in the XML element. :type attr: str :return: None :rtype: NoneType rOrgrirjN)rYrgrlrms r. dynamic_srcrqsS"Ls&'++-  # 4 4 6DKK  (7 $% r6dyn_htmlctj|s|Si}tj|tj}||St t }g}d}|j|D]}|jjD]\} } | t vs | jdd\} } | j|vr:|| jjt| jn+t| jh|| j<|j!|t#||} |D]}|jjD]\} } | t vs| t%|d} | jdd\} } | | jt| j}t | |||||su|j| =tj(|d j+d }|j-d j/d }|j-d j/d}|S#ttf$rYAwxYw#t&tf$rd}YwxYw)a Render method to update dynamic attributes in HTML Parameters: - dyn_html (str): The HTML content with dynamic attributes - admin_objects (bool) (optional): Flag to indicate whether to fetch data from admin objects (default: False) - remove_attr (bool) (optional): Flag to indicate whether to remove dynamic attributes from the final HTML (default: True) Returns: - str: The updated HTML content with dynamic attributes )parserNz data-cms-:)rR)rehtml)methodzutf-8zzzz)dyn_attr_patternsearchr fromstring HTMLParserrQdynamic_attr_poolxpathrlr'rsplitstripaddint TypeError ValueErrorappendrblenKeyErrortostringdecode removeprefix removesuffix)rrrR remove_attr req_model_objtreer~ update_queueprefixrcrdvaluer^pkfrom_db target_attrradocs r.render_dynamic_attributesrsK  " "8 ,M   HU-=-=-? @D | ' (EL F 5! *;;,,. *KD%(( % S! 4IE2{{} 5%ekkm488RXXZI8;BHHJ7H ekkm4##D) * *}MJG *;;,,. *KD%(("3v;=1  % S! 4IE2!%++-0RXXZAC"$'c;-X D) * * ..f - 4 4W =C  8 $ 1 1) r6r.rr%s r6rcddlm}tjs|Stj j d}tjj|}|j|}d}|jdD]}|jd}|jds'|jd } |jd } tjd } | j|} | j!} | d }| d }|j#dr|j%dd} t'j(|} |j%dd}t1j2|}|dk(s|dk(rd}n`|dk(rd}nX|dk(rd}nPt5j6|}t1j2}d}|j9|d|j;d|}t=j>d|}tA|||| | }||}|jBjE|jG|jHd|d}|rIdjK|jddjHDcgc]}|jMc}S|S#t*$rt'j,|}YswxYw#t.$rd}YpwxYwcc}w)zt extracts base64 encoded images from drag and drop actions in browser and saves those images as plugins rv) plugin_to_tagdom)rFimgsrczdata:widthheightz=data:(?P[^"]*);(?P[^"]*),(?P[^"]*) mime_typer@;r/rOjpgjpegpnggifJPEGrT) parent_pluginrrTbody)'utilsrr TEXT_SAVE_IMAGE_FUNCTIONhtml5lib treebuildersgetTreeBuilder html5parserr|parsegetElementsByTagName getAttribute startswithrecompilerz groupdictfindrXbase64 b64decoder\urlsafe_b64decode IndexErrorioBytesIOropensaveseekuuiduuid4img_data_to_plugin parentNode replaceChild parseFragment childNodesrPtoxml)r@pluginr tree_builderrtrfoundrrrrdata_remdrr image_data image_typeimage file_endingim new_imagefilename image_plugin new_img_htmlys r.extract_imagesr)s %  , , ((77>L  ! ! , ,, , ?F ,,t C E''.5u%~~g&   )!!(+**]^ NN3  [[]{O Z >># !,Q/I >))*5J "-a0J :&  *"6K 5 K 5 KE"B IK GGIv & NN1 Ejjl^1[M2)     %\2  ##F$8$8$F$Q$QRS$TVYZk5l ww3+C+CF+KA+N+Y+YZa Z[[ Q >11*=J > J D[s*+JJ72K J43J47 KKctjjdd}tdj tjjddd|g}t ||}||||||S)NrT)fromlist)rr)r rrX __import__rPgetattr)rrrrr func_namemodulefuncs r.rrrsq1177r6r.rs " #2::67 "I # #*7!3? ? D" I#(S(( (UX(( D S T$4<wV\\Z^:8g8FLL888Y]8477D7_b7t**(*t*o|, nk* FRL_    s= DD! D!