reviewboard.reviews.markdown_utils¶

SAFE_MARKDOWN_TAGS = [u'a', u'b', u'blockquote', u'br', u'code', u'dd', u'del', u'div', u'dt', u'em', u'h1', u'h2', u'h3', u'h4', u'h5', u'h6', u'hr', u'i', u'img', u'li', u'ol', u'p', u'pre', u'span', u'strong', u'sub', u'sup', u'table', u'tbody', u'td', u'foot', u'th', u'thead', u'tr', u'tt', u'ul'][source]¶

A list of HTML tags considered to be safe in Markdown-generated output.

Anything not in this list will be escaped when sanitizing the resulting HTML.

New in version 3.0.22.

SAFE_MARKDOWN_ATTRS = {u'*': [u'class', u'id'], u'a': [u'href', u'alt', u'title'], u'img': [u'src', u'alt', u'title']}[source]¶

Mappings of HTML tags to attributes considered to be safe for Markdown.

Anything not in this list will be removed ehen sanitizing the resulting HTML.

New in version 3.0.22.

SAFE_MARKDOWN_URL_PROTOCOLS = [u'http', u'https', u'mailto'][source]¶

A list of protocols considered safe for URLs.

This can be overridden by setting settings.ALLOWED_MARKDOWN_URL_PROTOCOLS.

New in version 3.0.24.

markdown_escape(text)[source]¶

Escapes text for use in Markdown.

This will escape the provided text so that none of the characters will be rendered specially by Markdown.

This is deprecated. Please use djblets.markdown.markdown_escape instead.

markdown_unescape(escaped_text)[source]¶

Unescapes Markdown-escaped text.

This will unescape the provided Markdown-formatted text so that any escaped characters will be unescaped.

This is deprecated. Please use djblets.markdown.markdown_unescape instead.

markdown_escape_field(obj, field_name)[source]¶

Escapes Markdown text in a model or dictionary’s field.

This is a convenience around markdown_escape to escape the contents of a particular field in a model or dictionary.

markdown_unescape_field(obj, field_name)[source]¶

Unescapes Markdown text in a model or dictionary’s field.

This is a convenience around markdown_unescape to unescape the contents of a particular field in a model or dictionary.

normalize_text_for_edit(user, text, rich_text, escape_html=True)[source]¶

Normalizes text, converting it for editing.

This will normalize text for editing based on the rich_text flag and the user settings.

If the text is not in Markdown and the user edits in Markdown by default, this will return the text escaped for edit. Otherwise, the text is returned as-is.

markdown_render_conditional(text, rich_text)[source]¶

Return the escaped HTML content based on the rich_text flag.

is_rich_text_default_for_user(user)[source]¶

Returns whether the user edits in Markdown by default.

markdown_set_field_escaped(obj, field, escaped)[source]¶

Escapes or unescapes the specified field in a model or dictionary.

iter_markdown_lines(markdown_html)[source]¶

Iterates over lines of Markdown, normalizing for individual display.

Generated Markdown HTML cannot by itself be handled on a per-line-basis. Code blocks, for example, will consist of multiple lines of content contained within a <pre> tag. Likewise, lists will be a bunch of <li> tags inside a <ul> tag, and individually do not form valid lists.

This function iterates through the Markdown tree and generates self-contained lines of HTML that can be rendered individually.

This is deprecated. Please use djblets.markdown.iter_markdown_lines instead.

get_markdown_element_tree(markdown_html)[source]¶

Returns an XML element tree for Markdown-generated HTML.

This will build the tree and return all nodes representing the rendered Markdown content.

This is deprecated. Please use djblets.markdown.get_markdown_element_tree instead.

sanitize_illegal_chars_for_xml(s)[source]¶

Sanitize a string, removing characters illegal in XML.

This will remove a number of characters that would break the XML parser. They may be in the string due to a copy/paste.

This code is courtesy of the XmlRpcPlugin developers, as documented here: http://stackoverflow.com/a/22273639

This is deprecated. Please use djblets.markdown.sanitize_illegal_chars_for_xml instead.

clean_markdown_html(html)[source]¶

Return a cleaned, secure version of Markdown-rendered HTML/XHTML.

This will sanitize Markdown-rendered HTML, ensuring that only a trusted list of HTML tags, attributes, and URI schemes are included in the HTML. Anything else will be left out or transformed into a safe representation of the original content.

The result will always be in XHTML form, to allow for XML processing of the content.

New in version 3.0.24.

Parameters:	html (unicode) – The Markdown-rendered HTML to clean.
Returns:	A sanitizied XHTML representation of the Markdown-rendered HTML.
Return type:	unicode

render_markdown(text)[source]¶

Render Markdown text to XHTML.

The Markdown text will be sanitized to prevent injecting custom HTML or dangerous links. It will also enable a few plugins for code highlighting and sane lists.

It’s rendered to XHTML in order to allow the element tree to be easily parsed for code review and change description diffing.

Parameters:	text (bytes or unicode) – The Markdown text to render. If this is a byte string, it must represent UTF-8-encoded text.
Returns:	The Markdown-rendered XHTML.
Return type:	unicode

render_markdown_from_file(f)[source]¶

Render Markdown text from a file to XHTML.

The Markdown text will be sanitized to prevent injecting custom HTML. It will also enable a few plugins for code highlighting and sane lists.

Changed in version 3.0.24: This has been updated to sanitize the rendered HTML to avoid any security issues.

Parameters:	f (file) – The file stream to read from.
Returns:	The Markdown-rendered XHTML.
Return type:	unicode