Move HTML validation from naucse.utils.views to naucse.validation

The validator wasn't even used in views!

Author: encukou

naucse/models.py

@@ -14,7 +14,8 @@
 import naucse.utils.views
 from naucse.utils.models import Model, YamlProperty, DataProperty, DirProperty, MultipleModelDirProperty, ForkProperty
 from naucse.utils.models import reify, arca
-from naucse.utils.views import AllowedElementsParser, absolute_urls_to_freeze
+from naucse.utils.views import absolute_urls_to_freeze
+from naucse.validation import AllowedElementsParser
 from naucse.templates import setup_jinja_env, vars_functions
 from naucse.utils.markdown import convert_markdown
 from naucse.utils.notebook import convert_notebook

naucse/utils/links.py

@@ -3,7 +3,7 @@
 from xml.dom import SyntaxErr
 
 from naucse.models import Page
-from naucse.utils.views import DisallowedStyle
+from naucse.validation import DisallowedStyle
 
 
 class InvalidInfo(Exception):

naucse/utils/views.py

@@ -3,11 +3,8 @@
 import json
 import os
 from collections import deque, defaultdict
-from html.parser import HTMLParser
 from pathlib import Path
-from xml.dom import SyntaxErr
 
-import cssutils
 from arca.exceptions import PullError, BuildError, RequirementsMismatch
 from arca.utils import get_hash_for_file
 
@@ -104,131 +101,6 @@ def get_lesson_tree_hash(repo, lesson_slug):
     return commit
 
 
-class DisallowedElement(Exception):
-    pass
-
-
-class InvalidHTML(DisallowedElement):
-    pass
-
-
-class DisallowedAttribute(DisallowedElement):
-    pass
-
-
-class DisallowedStyle(Exception):
-
-    _BASE = "Style element or page css are only allowed when they modify .dataframe elements."
-    COULD_NOT_PARSE = _BASE + " Ccould not parse the styles and verify."
-    OUT_OF_SCOPE = _BASE + " Rendered page contains a style that modifies something else."
-
-
-class AllowedElementsParser(HTMLParser):
-    """
-    This parser is used on all HTML returned from forked repositories.
-
-    It raises exceptions in two cases:
-
-    * :class:`DisallowedElement` - if a element not defined in :attr:`allowed_elements` is used
-    * :class:`DisallowedStyle` - if a <style> element contains unparsable css or if it modifies something
-      different than ``.dataframe`` elements.
-    """
-
-    def __init__(self, **kwargs):
-        super(AllowedElementsParser, self).__init__(**kwargs)
-        self.css_parser = cssutils.CSSParser(raiseExceptions=True)
-
-        #: Set of allowed HTML elements
-        #: It has been compiled out of elements currently used in canonical lessons
-        self.allowed_elements = {
-            # functional:
-            'a', 'abbr', 'audio', 'img', 'source',
-
-            # styling:
-            'big', 'blockquote', 'code', 'font', 'i', 'tt', 'kbd', 'u', 'var', 'small', 'em', 'strong', 'sub',
-
-            # formatting:
-            'br', 'div', 'hr', 'p', 'pre', 'span',
-
-            # lists:
-            'dd', 'dl', 'dt', 'li', 'ul', 'ol',
-
-            # headers:
-            'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
-
-            # tables:
-            'table', 'tbody', 'td', 'th', 'thead', 'tr',
-
-            # icons:
-            'svg', 'circle', 'path',
-
-            # A special check is applied in :meth:`handle_data` method
-            # (only ``.dataframe`` styles allowed, generated from notebook converter)
-            'style',
-        }
-
-        #: Set of allowed HTML attributes
-        #: Compiled out of currently used in canonical lesson
-        self.allowed_attributes = {
-            'alt', 'aria-hidden', 'border', 'class', 'color', 'colspan', 'controls', 'cx', 'cy', 'd', 'halign', 'href',
-            'id', 'r', 'rowspan', 'src', 'start', 'title', 'type', 'valign', 'viewbox',
-
-            # inline styles generated from notebook converter
-            'style',
-        }
-
-        self.attrs = set()
-
-    def error(self, message):
-        raise InvalidHTML(message)
-
-    def check_attributes(self, attrs):
-        attr_names = set([x[0] for x in attrs])
-
-        if len(attr_names - self.allowed_attributes):
-            raise DisallowedAttribute("Attributes '{}' are not allowed".format(", ".join(attr_names)))
-
-    def handle_starttag(self, tag, attrs):
-        if tag not in self.allowed_elements:
-            raise DisallowedElement(f"Element {tag} is not allowed.")
-
-        self.check_attributes(attrs)
-
-    def handle_startendtag(self, tag, attrs):
-        if tag not in self.allowed_elements:
-            raise DisallowedElement(f"Element {tag} is not allowed.")
-
-        self.check_attributes(attrs)
-
-    def handle_data(self, data):
-        if self.lasttag == "style":
-            self.validate_css(data)
-
-    def reset_and_feed(self, data):
-        self.reset()
-        self.feed(data)
-
-    def allow_selector(self, selector: str):
-        if not selector.startswith(".dataframe "):
-            return False
-
-        return True
-
-    def validate_css(self, data):
-        try:
-            parsed_css = self.css_parser.parseString(data)
-        except SyntaxErr:
-            raise DisallowedStyle(DisallowedStyle.COULD_NOT_PARSE)
-        else:
-            if len(parsed_css.cssRules) == 0:
-                return
-
-            if not all([self.allow_selector(selector.selectorText)
-                        for rule in parsed_css.cssRules
-                        for selector in rule.selectorList]):
-                raise DisallowedStyle(DisallowedStyle.OUT_OF_SCOPE)
-
-
 def forks_enabled():
     """ Returns if forks are enabled. By default they're not (for the purposes of local development).
 

naucse/validation.py

@@ -0,0 +1,130 @@
+from xml.dom import SyntaxErr
+
+from html.parser import HTMLParser
+
+import cssutils
+
+
+class DisallowedElement(Exception):
+    pass
+
+
+class InvalidHTML(DisallowedElement):
+    pass
+
+
+class DisallowedAttribute(DisallowedElement):
+    pass
+
+
+class DisallowedStyle(Exception):
+
+    _BASE = "Style element or page css are only allowed when they modify .dataframe elements."
+    COULD_NOT_PARSE = _BASE + " Ccould not parse the styles and verify."
+    OUT_OF_SCOPE = _BASE + " Rendered page contains a style that modifies something else."
+
+
+class AllowedElementsParser(HTMLParser):
+    """
+    This parser is used on all HTML returned from forked repositories.
+
+    It raises exceptions in two cases:
+
+    * :class:`DisallowedElement` - if a element not defined in :attr:`allowed_elements` is used
+    * :class:`DisallowedStyle` - if a <style> element contains unparsable css or if it modifies something
+      different than ``.dataframe`` elements.
+    """
+
+    def __init__(self, **kwargs):
+        super(AllowedElementsParser, self).__init__(**kwargs)
+        self.css_parser = cssutils.CSSParser(raiseExceptions=True)
+
+        #: Set of allowed HTML elements
+        #: It has been compiled out of elements currently used in canonical lessons
+        self.allowed_elements = {
+            # functional:
+            'a', 'abbr', 'audio', 'img', 'source',
+
+            # styling:
+            'big', 'blockquote', 'code', 'font', 'i', 'tt', 'kbd', 'u', 'var', 'small', 'em', 'strong', 'sub',
+
+            # formatting:
+            'br', 'div', 'hr', 'p', 'pre', 'span',
+
+            # lists:
+            'dd', 'dl', 'dt', 'li', 'ul', 'ol',
+
+            # headers:
+            'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
+
+            # tables:
+            'table', 'tbody', 'td', 'th', 'thead', 'tr',
+
+            # icons:
+            'svg', 'circle', 'path',
+
+            # A special check is applied in :meth:`handle_data` method
+            # (only ``.dataframe`` styles allowed, generated from notebook converter)
+            'style',
+        }
+
+        #: Set of allowed HTML attributes
+        #: Compiled out of currently used in canonical lesson
+        self.allowed_attributes = {
+            'alt', 'aria-hidden', 'border', 'class', 'color', 'colspan', 'controls', 'cx', 'cy', 'd', 'halign', 'href',
+            'id', 'r', 'rowspan', 'src', 'start', 'title', 'type', 'valign', 'viewbox',
+
+            # inline styles generated from notebook converter
+            'style',
+        }
+
+        self.attrs = set()
+
+    def error(self, message):
+        raise InvalidHTML(message)
+
+    def check_attributes(self, attrs):
+        attr_names = set([x[0] for x in attrs])
+
+        if len(attr_names - self.allowed_attributes):
+            raise DisallowedAttribute("Attributes '{}' are not allowed".format(", ".join(attr_names)))
+
+    def handle_starttag(self, tag, attrs):
+        if tag not in self.allowed_elements:
+            raise DisallowedElement(f"Element {tag} is not allowed.")
+
+        self.check_attributes(attrs)
+
+    def handle_startendtag(self, tag, attrs):
+        if tag not in self.allowed_elements:
+            raise DisallowedElement(f"Element {tag} is not allowed.")
+
+        self.check_attributes(attrs)
+
+    def handle_data(self, data):
+        if self.lasttag == "style":
+            self.validate_css(data)
+
+    def reset_and_feed(self, data):
+        self.reset()
+        self.feed(data)
+
+    def allow_selector(self, selector: str):
+        if not selector.startswith(".dataframe "):
+            return False
+
+        return True
+
+    def validate_css(self, data):
+        try:
+            parsed_css = self.css_parser.parseString(data)
+        except SyntaxErr:
+            raise DisallowedStyle(DisallowedStyle.COULD_NOT_PARSE)
+        else:
+            if len(parsed_css.cssRules) == 0:
+                return
+
+            if not all([self.allow_selector(selector.selectorText)
+                        for rule in parsed_css.cssRules
+                        for selector in rule.selectorList]):
+                raise DisallowedStyle(DisallowedStyle.OUT_OF_SCOPE)

naucse/views.py

@@ -24,9 +24,11 @@
 from naucse.utils.links import (process_course_data, process_session_data, process_page_data, process_footer_data,
                                 InvalidInfo)
 from naucse.utils.models import arca
-from naucse.utils.views import (get_recent_runs, list_months, DisallowedStyle,
-                                 DisallowedElement, does_course_return_info, absolute_urls_to_freeze,
-                                 raise_errors_from_forks, page_content_cache_key, InvalidHTML, get_edit_info)
+from naucse.utils.views import get_recent_runs, list_months
+from naucse.utils.views import does_course_return_info
+from naucse.utils.views import absolute_urls_to_freeze, raise_errors_from_forks
+from naucse.utils.views import page_content_cache_key, get_edit_info
+from naucse.validation import DisallowedStyle, DisallowedElement, InvalidHTML
 
 # so it can be mocked
 import naucse.utils.views

test_naucse/test_validation.py

@@ -0,0 +1,78 @@
+import pytest
+
+import naucse.validation
+
+
+def test_allowed_elements():
+    allowed_elements = naucse.validation.AllowedElementsParser()
+
+    allowed_elements.reset_and_feed(
+        "<div><strong><u><a>Test</a></u></div>"
+    )
+
+    with pytest.raises(naucse.validation.DisallowedElement):
+        allowed_elements.reset_and_feed(
+            "<div><script>alert('XSS')</script></div>"
+        )
+
+
+def test_allowed_styles():
+    allowed_elements = naucse.validation.AllowedElementsParser()
+
+    allowed_elements.reset_and_feed(
+        """
+        <style>
+        .dataframe thead tr:only-child th {
+            text-align: right;
+        }
+
+        </style>
+        """
+    )
+
+    # valid styles, but wrong elements
+    with pytest.raises(naucse.validation.DisallowedStyle):
+        allowed_elements.reset_and_feed(
+            """
+            <style>
+            .green {
+                color: green;
+            }
+            </style>
+            """
+        )
+
+    # can't parse
+    with pytest.raises(naucse.validation.DisallowedStyle):
+        allowed_elements.reset_and_feed(
+            """
+            <style>
+            .green {
+                color: green
+            </style>
+            """
+        )
+
+    # multiple selectors in one rule
+    # valid:
+    allowed_elements.reset_and_feed(
+        """
+        <style>
+        .dataframe .green, .dataframe .also-green {
+            color: green;
+        }
+        </style>
+        """
+    )
+
+    # invalid:
+    with pytest.raises(naucse.validation.DisallowedStyle):
+        allowed_elements.reset_and_feed(
+            """
+            <style>
+            .dataframe .green, .also-green {
+                color: green;
+            }
+            </style>
+            """
+        )