| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
| |
Fixes #1156.
|
|
|
|
|
| |
If cache is desired, we should look into this in the future and do it
properly.
|
|
|
|
| |
This is an old, outdated key which is simply moved into `project_urls`. As it offers no value, it is being removed.
Fixes Python-Markdown#1163.
|
|
|
| |
Fixes #1160.
|
| |
|
|
|
|
|
|
| |
The footnote docs page doesn't mention the need to run `reset()` between multiple runs of the `markdown.Markdown` class.
This change adapts and adds language from the `extensions/api.md` page to explain what to do and why.
|
| |
|
| |
|
| |
|
|
|
| |
The previous link was pointing at a stale wiki page.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two regular expressions were vulerable to Regular Expression Denial of
Service (ReDoS).
Crafted strings containing a long sequence of spaces could cause Denial
of Service by making markdown take a long time to process.
This represents a vulnerability when untrusted user input is processed
with the markdown package.
ReferencesProcessor:
https://github.com/Python-Markdown/markdown/blob/4acb949256adc535d6e6cd8/markdown/blockprocessors.py#L559-L563
e.g.:
```python
import markdown
markdown.markdown('[]:0' + ' ' * 4321 + '0')
```
FencedBlockPreprocessor (requires fenced_code extension):
https://github.com/Python-Markdown/markdown/blob/a11431539d08e14b0bd821c/markdown/extensions/fenced_code.py#L43-L54
e.g.:
```python
import markdown
markdown.markdown('```' + ' ' * 4321, extensions=['fenced_code'])
```
Both regular expressions had cubic worst-case complexity, so doubling
the number of spaces made processing take 8 times as long.
The cubic behaviour can be seen as follows:
```
$ time python -c "import markdown; markdown.markdown('[]:0' + ' ' * 1000 + '0')"
python -c "import markdown; markdown.markdown('[]:0' + ' ' * 1000 + '0')" 1.25s user 0.02s system 99% cpu 1.271 total
$ time python -c "import markdown; markdown.markdown('[]:0' + ' ' * 2000 + '0')"
python -c "import markdown; markdown.markdown('[]:0' + ' ' * 2000 + '0')" 9.01s user 0.02s system 99% cpu 9.040 total
$ time python -c "import markdown; markdown.markdown('[]:0' + ' ' * 4000 + '0')"
python -c "import markdown; markdown.markdown('[]:0' + ' ' * 4000 + '0')" 74.86s user 0.27s system 99% cpu 1:15.38 total
```
Both regexes had three `[ ]*` groups separated by optional groups, in
effect making the regex `[ ]*[ ]*[ ]*`.
Discovered using [regexploit](https://github.com/doyensec/regexploit).
|
| |
|
|
|
|
|
|
|
| |
Update the existing test and add a new one to make sure that the
behavior of default slugify function has not changed.
Fixes #1118.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a regression which was introduced with support for toc_depth.
Relevant tests have been moved and updated to the new framework.
Fixes #1107.
The test framework also received an addition. The assertMarkdownRenders
method now accepts a new keyword expected_attrs which consists of a dict
of attrs and expected values. Each is checked against the attr of the
Markdown instance. This was needed to check the value of md.toc and
md.toc_tokens in some of the included tests.
|
|
|
|
| |
Corrected "shorte" to "short"
|
|
|
|
|
|
|
|
|
| |
Yuri's site (freewisdom.org) has gone offline. I have linked to his
GitHub profile instead. Also, the developer's email address
(markdown@freewisdom.org) has been replaced with a new address
(python.markdown@gmail.com). The new address simply forwards all
incoming messages to the project developer (@waylan) and deletes the
messages.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
- just get the length once at the beginning.
The gains are tiny but when the total number of calls to these is in the hundreds of thousands, it makes a sizeable difference.
|
|
|
|
|
|
|
| |
effbot.org was the old site for ElementTree from before it was added
to the Python standard library. We now link to the standard library
which is up-to-date and avoid bad links to a third-party site which
is currently down.
|
|
|
| |
Co-authored-by: Reilly Raab <raabrp@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
* fix unclosed pi in code span
* fix unclosed dec in code span
* fix unclosed tag in code span
Closes #1066.
|
|
|
|
|
|
|
| |
Empty tags do not have a `mardkown` attribute set on them. Therefore,
there is no need to check the mdstack to determine behavior. If we
are in any md_in_html state (regardless of block, span, etc) the
behavior is the same. Fixes #1070.
|
|
|
|
|
|
|
|
|
|
| |
This reverts part of 2766698 and re-implements handling
of tails in the same manner as the core.
Also, ensure line_offset doesn't raise an error on bad input
(see #1066) and properly handle script tags in code
spans (same as in the core).
Fixes #1068.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Ensure that start/end tag handler does not include tags in the previous
paragraph.
Provide special handling for tags like hr that never have content.
Use sets for block tag lists as they are much faster when comparing
if an item is in the list.
Fixes #1053.
|
|
|
|
| |
Fixes #1055.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This action checks that an update was made to any file in docs/change_log/
but only if changes were made to files in markdown/. Presumably,
any changes outside of markdown/ do not affect the behavior and do not
require a notation in the change_log.
If the proper permissions are available, a comment is added to the PR informing
the PR author that an update to the changelog is missing. However, any PR's from
forks do not have permission on the pull_request event. Unfortunately, the
pull_request_target event doesn't seem to work at all. However, as the action
only attempts to add a comment on failure, we only get a failure in the correct
conditions, even if the error message is related to auth.
|
|
|
| |
Fixes #1049
|
|
|
|
|
|
| |
Use the list of tags defined in the core by the md_in_html extension.
This ensures that the lists do not diverge and allows users and/or
extensions to expand the list in the core and have that change affect
the extension. Fixes #1047.
|
| |
|
|
|
| |
Fixes #1040 and fixes #1045.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By calling str on all stash elements we ensure they don't raise an error.
Worse case, soemthing like `<Element 'div' at 0x000001B2DAE94900>` gets
inserted into the output. However, with the override in the md_in_html
extension, we actually serialize and reinsert the original HTML. Worse case,
an HTML block which should be parsed as Markdown gets skipped by the
extension (`<div markdown="block"></div>` gets inserting into the output).
The tricky part is testing as there should be no known cases where this
ever occurs. Therefore, we forefully pass an etree Element directly to
the method in the test. That said, as #1040 is unresolved at this point,
I have tested locally with a real existing case and it works well.
Related to #1040.
|
| |
|
|
|
|
|
|
|
| |
* Ensure unclosed script tags are parsed correctly by providing a workaround for https://bugs.python.org/issue41989.
* Avoid cdata_mode outside of HTML blocks, such as in inline code spans.
Fixes #1036.
|
|
|
|
|
|
|
|
| |
If pygments is installed and the version doesn't match the expected version.
then any relevant tests will fail. To avoid failing tests due to different
output by pygments, those tests will be skipped. The pygments tox env
sets the `PYGMENTS_VERSION environment variable, so that env will always
run those tests against the expected version.
|
|
|
|
|
|
|
|
|
|
| |
* Pygments specific tests now only run when the pygments version installed
matches the expected version. That version is defined in an environment
variable (PYGMENTS_VERSION) in the 'pygments' tox env (see #1030).
* When the Python lib tidylib is installed but the underlying c lib is not,
the relevant tests are now skipped rather than fail. This matches the
behavior when the Python lib is not installed. The tox envs are now useful
on systems which don't have the c lib installed.
|
|
|
|
|
|
|
| |
* All non-language classes should always be assigned to the pre tag.
* The language identifying class should never be included with the
general list of classes.
Fixes #1032
|
|
|
|
| |
Closes #1030
|
| |
|
|
|
|
| |
Python 3.5 reached end-of-life on 2020-09-12 and Python 3.9 was released on 2020-10-05.
|
|
|
| |
A second function, `slugify_unicode` was added rather than changing the existing function so as to maintain backward compatibility. While an `encoding` parameter was added to the `slugify` function, we can't expect existing third party functions to accept a third parameter. Therefore, the two parameter API was preserved with this change.
|
|
|
|
|
|
|
|
|
|
| |
The HTML parser has been completely replaced. The new HTML parser is built on Python's html.parser.HTMLParser, which alleviates various bugs and simplifies maintenance of the code.
The md_in_html extension has been rebuilt on the new HTML Parser, which drastically simplifies it. Note that raw HTML elements with a markdown attribute defined are now converted to ElementTree Elements and are rendered by the serializer. Various bugs have been fixed.
Link reference parsing, abbreviation reference parsing and footnote reference parsing has all been moved from preprocessors to blockprocessors, which allows them to be nested within other block level elements. Specifically, this change was necessary to maintain the current behavior in the rebuilt md_in_html extension. A few random edge-case bugs (see the included tests) were resolved in the process.
Closes #595, closes #780, closes #830 and closes #1012.
|
|
|
|
| |
Closes #1019.
|
|
|
|
| |
As of richleland/pygments-css@146834e1 the css class was set to `.highlight`.
Closes #1020.
|
| |
|
|
|
| |
Fixes #918.
|