reviewboard.reviews.markdown_utils¶

SAFE_MARKDOWN_TAGS = ['a', 'b', 'blockquote', 'br', 'code', 'dd', 'del', 'div', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'li', 'ol', 'p', 'pre', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'foot', 'th', 'thead', 'tr', 'tt', 'ul'][source]¶

A list of HTML tags considered to be safe in Markdown-generated output.

Anything not in this list will be escaped when sanitizing the resulting HTML.

New in version 3.0.22.

SAFE_MARKDOWN_ATTRS = {'*': ['class', 'id'], 'a': ['href', 'alt', 'title'], 'img': ['src', 'alt', 'title']}[source]¶

Mappings of HTML tags to attributes considered to be safe for Markdown.

Anything not in this list will be removed when sanitizing the resulting HTML.

New in version 3.0.22.

SAFE_MARKDOWN_URL_PROTOCOLS = ['http', 'https', 'mailto'][source]¶

A list of protocols considered safe for URLs.

This can be overridden by setting settings.ALLOWED_MARKDOWN_URL_PROTOCOLS.

New in version 3.0.24.

markdown_escape_field(obj, field_name)[source]¶

Escapes Markdown text in a model or dictionary’s field.

This is a convenience around markdown_escape to escape the contents of a particular field in a model or dictionary.

markdown_unescape_field(obj, field_name)[source]¶

Unescapes Markdown text in a model or dictionary’s field.

This is a convenience around markdown_unescape to unescape the contents of a particular field in a model or dictionary.

normalize_text_for_edit(user, text, rich_text, escape_html=True)[source]¶

Normalizes text, converting it for editing.

This will normalize text for editing based on the rich_text flag and the user settings.

If the text is not in Markdown and the user edits in Markdown by default, this will return the text escaped for edit. Otherwise, the text is returned as-is.

markdown_render_conditional(text, rich_text)[source]¶

Return the escaped HTML content based on the rich_text flag.

is_rich_text_default_for_user(user)[source]¶

Returns whether the user edits in Markdown by default.

markdown_set_field_escaped(obj, field, escaped)[source]¶

Escapes or unescapes the specified field in a model or dictionary.

clean_markdown_html(html)[source]¶

Return a cleaned, secure version of Markdown-rendered HTML/XHTML.

This will sanitize Markdown-rendered HTML, ensuring that only a trusted list of HTML tags, attributes, and URI schemes are included in the HTML. Anything else will be left out or transformed into a safe representation of the original content.

The result will always be in XHTML form, to allow for XML processing of the content.

New in version 3.0.24.

Parameters:

html (unicode) – The Markdown-rendered HTML to clean.

Returns:

A sanitizied XHTML representation of the Markdown-rendered HTML.

Return type:

unicode

render_markdown(text)[source]¶

Render Markdown text to XHTML.

The Markdown text will be sanitized to prevent injecting custom HTML or dangerous links. It will also enable a few plugins for code highlighting and sane lists.

It’s rendered to XHTML in order to allow the element tree to be easily parsed for code review and change description diffing.

Parameters:

text (bytes or unicode) –

The Markdown text to render.

If this is a byte string, it must represent UTF-8-encoded text.

Returns:

The Markdown-rendered XHTML.

Return type:

unicode

render_markdown_from_file(f)[source]¶

Render Markdown text from a file to XHTML.

The Markdown text will be sanitized to prevent injecting custom HTML. It will also enable a few plugins for code highlighting and sane lists.

Changed in version 3.0.24: This has been updated to sanitize the rendered HTML to avoid any security issues.

Parameters:

f (file) – The file stream to read from.

Returns:

The Markdown-rendered XHTML.

Return type:

unicode