Fix merge conflicts

Merge branch 'master' into lang-name-in-class-using-pygments

Author: Crozzers

.github/workflows/python.yaml

@@ -9,15 +9,15 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
         os:
-          - ubuntu-20.04
+          - ubuntu-latest
           - macos-latest
           - windows-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies

CHANGES.md

@@ -1,11 +1,21 @@
 # python-markdown2 Changelog
 
-## python-markdown2 2.5.1 (not yet released)
+## python-markdown2 2.5.2 (not yet released)
+
+- [pull #605] Add support for Python 3.13, drop EOL 3.8
+- [pull #607] Fix `middle-word-em` extra preventing strongs from being recognized (#606)
+- [pull #596] Add language to HTML output in pygments code blocks (#379)
+
+
+## python-markdown2 2.5.1
 
 - [pull #590] Fix underscores within bold text getting emphasized (#589)
 - [pull #591] Add Alerts extra
 - [pull #595] Fix img alt text being processed as markdown (#594)
-- [pull #596] Add language to HTML output in pygments code blocks (#379)
+- [pull #598] Add `link-shortrefs` extra (#597)
+- [pull #600] Use urandom for SECRET_SALT
+- [pull #602] Fix XSS issue in safe mode (#601)
+- [pull #604] Fix XSS injection in image URLs (#603)
 
 
 ## python-markdown2 2.5.0

CONTRIBUTORS.txt

@@ -60,3 +60,4 @@ Kishore (github.com/jk6521)
 Ircama (github.com/Ircama)
 Ankit Mahato (github.com/animator)
 Eric Dufresne (github.com/edufresne)
+Lyra Rebane (github.com/rebane2001)

lib/markdown2.py

@@ -104,9 +104,9 @@ def _markdown_from_aspn_html(html):
             title = None
         escaped_href = href.replace('(', '\\(').replace(')', '\\)')
         if title is None:
-            replacement = '[%s](%s)' % (content, escaped_href)
+            replacement = '[{}]({})'.format(content, escaped_href)
         else:
-            replacement = '[%s](%s "%s")' % (content, escaped_href, 
+            replacement = '[{}]({} "{}")'.format(content, escaped_href, 
                                              title.replace('"', "'"))
         markdown = markdown[:start] + replacement + markdown[end:]
 

perf/gen_perf_cases.py

@@ -34,7 +34,7 @@ def time_markdown_py(cases_dir, repeat):
     for i in range(repeat):
         start = clock()
         for path in glob(join(cases_dir, "*.text")):
-            f = open(path, 'r')
+            f = open(path)
             content = f.read()
             f.close()
             try:
@@ -59,7 +59,7 @@ def time_markdown2_py(cases_dir, repeat):
     for i in range(repeat):
         start = clock()
         for path in glob(join(cases_dir, "*.text")):
-            f = open(path, 'r')
+            f = open(path)
             content = f.read()
             f.close()
             markdowner.convert(content)

perf/perf.py

@@ -1,4 +1,3 @@
-
 from os.path import *
 from pprint import pformat
 

perf/strip_cookbook_data.py

@@ -30,7 +30,7 @@ def wrapper(*args, **kw):
             return func(*args, **kw)
         finally:
             total_time = clock() - start_time
-            print("%s took %.3fs" % (func.__name__, total_time))
+            print("{} took {:.3f}s".format(func.__name__, total_time))
     return wrapper
 
 def hotshotit(func):

perf/util.py

@@ -1,4 +1,3 @@
-
 import sys
 import re
 from os.path import *

sandbox/wiki.py

@@ -18,11 +18,11 @@
 License :: OSI Approved :: MIT License
 Programming Language :: Python
 Programming Language :: Python :: 3
-Programming Language :: Python :: 3.8
 Programming Language :: Python :: 3.9
 Programming Language :: Python :: 3.10
 Programming Language :: Python :: 3.11
 Programming Language :: Python :: 3.12
+Programming Language :: Python :: 3.13
 Operating System :: OS Independent
 Topic :: Software Development :: Libraries :: Python Modules
 Topic :: Software Development :: Documentation
@@ -32,7 +32,7 @@
 
 extras_require = {
     "code_syntax_highlighting": ["pygments>=2.7.3"],
-    "wavedrom": ["wavedrom; python_version>='3.7'"],
+    "wavedrom": ["wavedrom"],
     "latex": ['latex2mathml; python_version>="3.8.1"'],
 }
 # nested listcomp to combine all optional extras into convenient "all" option
@@ -56,7 +56,7 @@
         ]
     },
     description="A fast and complete Python implementation of Markdown",
-    python_requires=">=3.8, <4",
+    python_requires=">=3.9, <4",
     extras_require=extras_require,
     classifiers=classifiers.strip().split("\n"),
     long_description="""markdown2: A fast and complete Python implementation of Markdown.

setup.cfg

@@ -116,7 +116,7 @@ def is_block_level (tag) :
                                      (re.compile(">"), ">"),
                                      (re.compile("\""), """)]
 
-ENTITY_NORMALIZATION_EXPRESSIONS_SOFT = [ (re.compile("&(?!\#)"), "&"),
+ENTITY_NORMALIZATION_EXPRESSIONS_SOFT = [ (re.compile(r"&(?!\#)"), "&"),
                                      (re.compile("<"), "&lt;"),
                                      (re.compile(">"), "&gt;"),
                                      (re.compile("\""), "&quot;")]
@@ -325,7 +325,7 @@ def toxml(self):
             value = self.attribute_values[attr]
             value = self.doc.normalizeEntities(value,
                                                avoidDoubleNormalizing=True)
-            buffer += ' %s="%s"' % (attr, value)
+            buffer += ' {}="{}"'.format(attr, value)
 
 
         # Now let's actually append the children
@@ -672,7 +672,7 @@ def run (self, lines) :
 LINK_ANGLED_RE = BRK + r'\s*\(<([^\)]*)>\)'      # [text](<url>)
 IMAGE_LINK_RE = r'\!' + BRK + r'\s*\(([^\)]*)\)' # ![alttxt](http://x.com/)
 REFERENCE_RE = BRK+ r'\s*\[([^\]]*)\]'           # [Google][3]
-IMAGE_REFERENCE_RE = r'\!' + BRK + '\s*\[([^\]]*)\]' # ![alt text][2]
+IMAGE_REFERENCE_RE = r'\!' + BRK + r'\s*\[([^\]]*)\]' # ![alt text][2]
 NOT_STRONG_RE = r'( \* )'                        # stand-alone * or _
 AUTOLINK_RE = r'<(http://[^>]*)>'                # <http://www.123.com>
 AUTOMAIL_RE = r'<([^> \!]*@[^> ]*)>'               # <[email protected]>

setup.py

@@ -27,10 +27,7 @@ def setup():
         import pygments  # noqa
     except ImportError:
         pygments_dir = join(top_dir, "deps", "pygments")
-        if sys.version_info[0] <= 2:
-            sys.path.insert(0, pygments_dir)
-        else:
-            sys.path.insert(0, pygments_dir + "3")
+        sys.path.insert(0, pygments_dir + "3")
 
 if __name__ == "__main__":
     logging.basicConfig()
@@ -42,7 +39,7 @@ def setup():
         try:
             mod = importlib.import_module(extra_lib)
         except ImportError:
-            warnings.append("skipping %s tests ('%s' module not found)" % (extra_lib, extra_lib))
+            warnings.append("skipping {} tests ('{}' module not found)".format(extra_lib, extra_lib))
             default_tags.append("-%s" % extra_lib)
         else:
             if extra_lib == 'pygments':
@@ -51,7 +48,7 @@ def setup():
                     tag = "pygments<2.14"
                 else:
                     tag = "pygments>=2.14"
-                warnings.append("skipping %s tests (pygments %s found)" % (tag, mod.__version__))
+                warnings.append("skipping {} tests (pygments {} found)".format(tag, mod.__version__))
                 default_tags.append("-%s" % tag)
 
     retval = testlib.harness(testdir_from_ns=testdir_from_ns,

test/markdown.py

@@ -152,7 +152,7 @@ def generate_tests(cls):
             if exists(opts_path):
                 try:
                     with warnings.catch_warnings(record=True) as caught_warnings:
-                        opts = eval(open(opts_path, 'r').read())
+                        opts = eval(open(opts_path).read())
                     for warning in caught_warnings:
                         print("WARNING: loading %s generated warning: %s - lineno %d" % (opts_path, warning.message, warning.lineno), file=sys.stderr)
                 except Exception:
@@ -335,7 +335,7 @@ def _markdown_email_link_sub(match):
     href, text = match.groups()
     href = _xml_escape_re.sub(_xml_escape_sub, href)
     text = _xml_escape_re.sub(_xml_escape_sub, text)
-    return '<a href="%s">%s</a>' % (href, text)
+    return '<a href="{}">{}</a>'.format(href, text)
 
 def norm_html_from_html(html):
     """Normalize (somewhat) Markdown'd HTML.

test/test.py

@@ -53,14 +53,14 @@ def testall():
             # Don't support Python < 3.5
             continue
         ver_str = "%s.%s" % ver
-        print("-- test with Python %s (%s)" % (ver_str, python))
+        print("-- test with Python {} ({})".format(ver_str, python))
         assert ' ' not in python
 
         env_args = 'MACOSX_DEPLOYMENT_TARGET= ' if sys.platform == 'darwin' else ''
 
         proc = subprocess.Popen(
             # pass "-u" option to force unbuffered output
-            "%s%s -u test.py -- -knownfailure" % (env_args, python),
+            "{}{} -u test.py -- -knownfailure".format(env_args, python),
             shell=True, stderr=subprocess.PIPE
         )
 
@@ -77,6 +77,6 @@ def testall():
 
     for python, ver_str, warning in all_warnings:
         # now re-print all warnings to make sure they are seen
-        print('-- warning raised by Python %s (%s) -- %s' % (ver_str, python, warning))
+        print('-- warning raised by Python {} ({}) -- {}'.format(ver_str, python, warning))
 
 testall()

test/test_markdown2.py

@@ -130,8 +130,8 @@ def wrapper(*args, **kw):
             finally:
                 total_time = time.time() - start_time
                 if total_time > max_time + tolerance:
-                    raise DurationError(('Test was too long (%.2f s)'
-                                           % total_time))
+                    raise DurationError('Test was too long (%.2f s)'
+                                           % total_time)
         return wrapper
 
     return _timedtest
@@ -140,7 +140,7 @@ def wrapper(*args, **kw):
 
 #---- module api
 
-class Test(object):
+class Test:
     def __init__(self, ns, testmod, testcase, testfn_name,
                  testsuite_class=None):
         self.ns = ns
@@ -439,7 +439,7 @@ def list_tests(testdir_from_ns, tags):
             if testfile.endswith(".pyc"):
                 testfile = testfile[:-1]
             print("%s:" % t.shortname())
-            print("  from: %s#%s.%s" % (testfile,
+            print("  from: {}#{}.{}".format(testfile,
                 t.testcase.__class__.__name__, t.testfn_name))
             wrapped = textwrap.fill(' '.join(t.tags()), WIDTH-10)
             print("  tags: %s" % _indent(wrapped, 8, True))
@@ -470,7 +470,7 @@ def __init__(self, stream):
 
     def getDescription(self, test):
         if test._testlib_explicit_tags_:
-            return "%s [%s]" % (test._testlib_shortname_,
+            return "{} [{}]".format(test._testlib_shortname_,
                                 ', '.join(test._testlib_explicit_tags_))
         else:
             return test._testlib_shortname_
@@ -514,7 +514,7 @@ def printErrorList(self, flavour, errors):
             self.stream.write("%s\n" % err)
 
 
-class ConsoleTestRunner(object):
+class ConsoleTestRunner:
     """A test runner class that displays results on the console.
 
     It prints out the names of tests as they are run, errors as they

test/testall.py

@@ -0,0 +1 @@
+<p>&lt;img src=# onerror="alert()"&gt;&lt;/p&gt;</p>

test/testlib.py

@@ -0,0 +1 @@
+{"safe_mode": "escape"}

test/tm-cases/issue601_xss.html

@@ -0,0 +1 @@
+<img src=# onerror="alert()"></p>

test/tm-cases/issue601_xss.opts

@@ -0,0 +1,6 @@
+<p><img src="code&gt;&quot; onerror=alert()//&lt;/code" alt="" /></p>
+
+<p><img src="&quot; onerror=alert()//" alt="" />
+<a href="#"></a>
+<img src="`&quot; onerror=alert()//`" alt="" />
+<img src="&lt;code&gt;&quot; onerror=alert()//&lt;code&gt;" alt="" /></p>

test/tm-cases/issue601_xss.text

@@ -0,0 +1 @@
+{"safe_mode": "escape"}

test/tm-cases/issue603_xss.html

@@ -0,0 +1,12 @@
+![](`" onerror=alert()//`)
+
+
+![][XSS]
+[][XSS]
+![][XSS2]
+![][XSS3]
+
+
+[XSS]: " onerror=alert()//
+[XSS2]: `" onerror=alert()//`
+[XSS3]: <code>" onerror=alert()//<code>

test/tm-cases/issue603_xss.opts

@@ -0,0 +1,11 @@
+<p><a href="https://www.python.org">Python</a></p>
+
+<p>abc <a href="https://www.python.org">Python</a> def</p>
+
+<p><a href="https://www.python.org">Python</a>s</p>
+
+<p><a href="https://www.python.org">Python</a></p>
+
+<p><a href="https://www.python.org">Python</a>with<em>more</em>text</p>
+
+<p>[NoLink]</p>

test/tm-cases/issue603_xss.text

@@ -0,0 +1 @@
+{"extras": ["link-shortrefs"]}

test/tm-cases/link_shortrefs.html

@@ -0,0 +1 @@
+extras link-shortrefs

test/tm-cases/link_shortrefs.opts

@@ -0,0 +1,13 @@
+[Python]
+
+abc [Python] def
+
+[Python]s
+
+[Python][]
+
+[Python]with_more_text
+
+[NoLink]
+
+[Python]: https://www.python.org

test/tm-cases/link_shortrefs.tags

@@ -0,0 +1,19 @@
+<p>Double variants:</p>
+
+<p><strong>one_two_three</strong></p>
+
+<p><strong><em>one_two_three</em></strong></p>
+
+<p><em><strong>one_two_three</strong></em></p>
+
+<p><strong><em>one_two_three</em></strong></p>
+
+<p>Single variants:</p>
+
+<p><em>one_two_three</em></p>
+
+<p><em>one_two_three</em></p>
+
+<p><em>one*two*three</em></p>
+
+<p><em>one<em>two</em>three</em></p>

test/tm-cases/link_shortrefs.text

@@ -0,0 +1 @@
+{"extras": {"middle-word-em": False}}

test/tm-cases/middle_word_em_with_extra_ems.html

@@ -0,0 +1,19 @@
+Double variants:
+
+**one_two_three**
+
+***one_two_three***
+
+_**one_two_three**_
+
+**_one_two_three_**
+
+Single variants:
+
+*one_two_three*
+
+_one_two_three_
+
+_one*two*three_
+
+*one*two*three*