Add pacakge nh3 (#4387)

docs/project/changelog.md

@@ -130,7 +130,7 @@ myst:
 
 - New Packages: `river` {pr}`4197`, `sisl` {pr}`4210`, `frozenlist` {pr}`4231`,
   `zengl` {pr}`4208`, `msgspec` {pr}`4265`, `aiohttp` {pr}`4282`, `pysam` {pr}`4268`,
-  `requests`, `urllib3` {pr}`4332`
+  `requests`, `urllib3` {pr}`4332`, `nh3` {pr}`4387`
 - Upgraded zengl to 2.2.0 {pr}`4364`
 
 ## Version 0.24.1

packages/nh3/meta.yaml

@@ -0,0 +1,16 @@
+package:
+  name: nh3
+  version: 0.2.15
+  top-level:
+    - nh3
+source:
+  url: https://files.pythonhosted.org/packages/08/03/506eb477d723da0db7c46d6259ee06bc68243ef40f5626eb66ab72ae4d69/nh3-0.2.15.tar.gz
+  sha256: d1e30ff2d8d58fb2a14961f7aac1bbb1c51f9bdd7da727be35c63826060b0bf3
+requirements:
+  executable:
+    - rustup
+about:
+  home: ""
+  PyPI: https://pypi.org/project/nh3
+  summary: Python bindings to the ammonia HTML sanitization library.
+  license: MIT

packages/nh3/test_nh3.py

@@ -0,0 +1,93 @@
+from pytest_pyodide import run_in_pyodide
+
+
+@run_in_pyodide(packages=["nh3"])
+def test_clean(selenium):
+    import nh3
+
+    html = "<b><img src='' onerror='alert(\\'hax\\')'>I'm not trying to XSS you</b>"
+    assert nh3.clean(html) == '<b><img src="">I\'m not trying to XSS you</b>'
+    assert nh3.clean(html, tags={"img"}) == '<img src="">I\'m not trying to XSS you'
+    assert (
+        nh3.clean(html, tags={"img"}, attributes={}) == "<img>I'm not trying to XSS you"
+    )
+    assert nh3.clean(html, attributes={}) == "<b><img>I'm not trying to XSS you</b>"
+    assert (
+        nh3.clean('<a href="https://baidu.com">baidu</a>')
+        == '<a href="https://baidu.com" rel="noopener noreferrer">baidu</a>'
+    )
+    assert (
+        nh3.clean('<a href="https://baidu.com">baidu</a>', link_rel=None)
+        == '<a href="https://baidu.com">baidu</a>'
+    )
+    assert (
+        nh3.clean(
+            "<script>alert('hello')</script><style>a { background: #fff }</style>",
+            clean_content_tags={"script", "style"},
+        )
+        == ""
+    )
+
+    assert (
+        nh3.clean('<div data-v="foo"></div>', generic_attribute_prefixes={"data-"})
+        == '<div data-v="foo"></div>'
+    )
+
+    assert (
+        nh3.clean(
+            "<my-tag my-attr=val>",
+            tags={"my-tag"},
+            tag_attribute_values={"my-tag": {"my-attr": {"val"}}},
+        )
+        == '<my-tag my-attr="val"></my-tag>'
+    )
+
+    assert (
+        nh3.clean(
+            "<my-tag>",
+            tags={"my-tag"},
+            set_tag_attribute_values={"my-tag": {"my-attr": "val"}},
+        )
+        == '<my-tag my-attr="val"></my-tag>'
+    )
+
+
+@run_in_pyodide(packages=["nh3"])
+def test_clean_with_attribute_filter(selenium):
+    import nh3
+    import pytest
+
+    html = "<a href=/><img alt=Home src=foo></a>"
+
+    def attribute_filter(element, attribute, value):
+        if element == "img" and attribute == "src":
+            return None
+        return value
+
+    assert (
+        nh3.clean(html, attribute_filter=attribute_filter, link_rel=None)
+        == '<a href="/"><img alt="Home"></a>'
+    )
+
+    with pytest.raises(TypeError):
+        nh3.clean(html, attribute_filter="not a callable")
+
+    # attribute_filter may raise exception, but it's an infallible API
+    # which writes a unraisable exception
+    nh3.clean(html, attribute_filter=lambda _element, _attribute, _value: True)
+
+
+@run_in_pyodide(packages=["nh3"])
+def test_clean_text(selenium):
+    import nh3
+
+    res = nh3.clean_text('Robert"); abuse();//')
+    assert res == "Robert&quot;);&#32;abuse();&#47;&#47;"
+
+
+@run_in_pyodide(packages=["nh3"])
+def test_is_html(selenium):
+    import nh3
+
+    assert not nh3.is_html("plain text")
+    assert nh3.is_html("<p>html!</p>")