Merge branch 'feature/ammonia' into develop

Author: ikirudennis

README.textile

@@ -9,7 +9,7 @@ h2. Installation
 @pip install textile@
 
 Dependencies:
-* "html5lib":https://pypi.org/project/html5lib/
+* "nh3":https://pypi.org/project/nh3/
 * "regex":https://pypi.org/project/regex/ (The regex package causes problems with PyPy, and is not installed as a dependency in such environments. If you are upgrading a textile install on PyPy which had regex previously included, you may need to uninstall it.)
 
 Optional dependencies include:

pyproject.toml

@@ -1,5 +1,5 @@
 [build-system]
-requires = ["setuptools", "setuptools-scm"]
+requires = ["setuptools", "setuptools-scm", "nh3"]
 build-backend = "setuptools.build_meta"
 
 [project]
@@ -26,7 +26,7 @@ classifiers = [
 ]
 dynamic = ["version",]
 dependencies = [
-    'html5lib>=1.0.1',
+    'nh3',
     'regex>1.0; implementation_name != "pypy"',
 ]
 requires-python = '>=3.8'

tests/fixtures/README.txt

@@ -10,7 +10,7 @@
 
 	<p>Dependencies:
 	<ul>
-		<li><a href="https://pypi.org/project/html5lib/">html5lib</a></li>
+		<li><a href="https://pypi.org/project/nh3/">nh3</a></li>
 		<li><a href="https://pypi.org/project/regex/">regex</a> (The regex package causes problems with PyPy, and is not installed as a dependency in such environments. If you are upgrading a textile install on PyPy which had regex previously included, you may need to uninstall it.)</li>
 	</ul></p>
 

tests/test_textile.py

@@ -117,7 +117,7 @@ def test_sanitize():
     assert result == expect
 
     test = """<p style="width: expression(alert('evil'));">a paragraph of evil text</p>"""
-    result = '<p style="">a paragraph of evil text</p>'
+    result = '<p>a paragraph of evil text</p>'
     expect = textile.Textile().parse(test, sanitize=True)
     assert result == expect
 

textile/core.py

@@ -20,8 +20,9 @@
 import uuid
 from urllib.parse import urlparse, urlsplit, urlunsplit, quote, unquote
 from collections import OrderedDict
+from nh3 import clean
 
-from textile.tools import sanitizer, imagesize
+from textile.tools import imagesize
 from textile.regex_strings import (align_re_s, cls_re_s, pnct_re_s,
                                    regex_snippets, syms_re_s, table_span_re_s)
 from textile.utils import (decode_high, encode_high, encode_html, generate_tag,
@@ -236,12 +237,12 @@ def parse(self, text, rel=None, sanitize=False):
 
         if self.block_tags:
             if self.lite:
-                self.blocktag_whitelist = ['bq', 'p']
+                self.blocktag_allowlist = set(['bq', 'p', 'br'])
                 text = self.block(text)
             else:
-                self.blocktag_whitelist = ['bq', 'p', 'bc', 'notextile',
-                                           'pre', 'h[1-6]', 'fn{0}+'.format(
-                                               regex_snippets['digit']), '###']
+                self.blocktag_allowlist = set(['bq', 'p', 'br', 'bc', 'notextile',
+                                               'pre', 'h[1-6]',
+                                               f"fn{regex_snippets['digit']}+", '###'])
                 text = self.block(text)
                 text = self.placeNoteLists(text)
         else:
@@ -263,7 +264,7 @@ def parse(self, text, rel=None, sanitize=False):
         text = text.replace('{0}:glyph:'.format(self.uid), '')
 
         if sanitize:
-            text = sanitizer.sanitize(text)
+            text = clean(text, tags=self.blocktag_allowlist)
 
         text = self.retrieveTags(text)
         text = self.retrieveURLs(text)