move to sanitization.md and document for CLI

Author: waylan

.spell-dict

@@ -78,6 +78,7 @@ munge
 namespace
 NanoDOM
 Neale
+nh3
 nosetests
 OrderedDict
 OrderedDicts

docs/cli.md

@@ -35,12 +35,19 @@ For example:
 echo "Some **Markdown** text." | python -m markdown > output.html
 ```
 
-Use the `--help` option for a list all available options and arguments:
+Use the `--help` option for a list of all available options and arguments:
 
 ```bash
 python -m markdown --help
 ```
 
+!!! warning
+
+    The Python-Markdown library does ***not*** sanitize its HTML output. If
+    you are processing Markdown input from an untrusted source, it is your
+    responsibility to ensure that it is properly sanitized. For more
+    information see [Sanitizing HTML Output](sanitization.md).
+
 If you don't want to call the python executable directly (using the `-m` flag),
 follow the instructions below to use a wrapper script:
 

docs/reference.md

@@ -31,36 +31,10 @@ method appropriately ([see below](#convert)).
 
     The Python-Markdown library does ***not*** sanitize its HTML output. If
     you are processing Markdown input from an untrusted source, it is your
-    responsibility to ensure that it is properly sanitized. See [Markdown and
-    XSS] for an overview of some of the dangers and [Improper markup
-    sanitization in popular software] for notes on best practices to ensure
-    HTML is properly sanitized.
-
-    The developers of Python-Markdown recommend using [JustHTML] as a
-    sanitizer on the output of `markdown.markdown`. JustHTML includes a
-    built-in HTML sanitizer. When you pass the HTML output through JustHTML
-    (`JustHTML(markdown.markdown(text), fragment=True).to_html())`), it
-    is sanitized by default according to a strict [allow list policy]. The
-    policy can be [customized] if necessary.
-
-    If you cannot use JustHTML for some reason, some alternatives include
-    [`nh3`][nh3] or [`bleach`][bleach][^1]. However, be aware that those
-    libraries will not be sufficient in themselves and will require
-    customization. Some useful lists of allowed tags and attributes can be
-    found in the [`bleach-allowlist`][bleach-allowlist] library, which should
-    work with either sanitizer.
-
-
-[Markdown and XSS]: https://michelf.ca/blog/2010/markdown-and-xss/
-[Improper markup sanitization in popular software]: https://github.com/ChALkeR/notes/blob/master/Improper-markup-sanitization.md
-[JustHTML]: https://emilstenstrom.github.io/justhtml/
-[allow list policy]: https://emilstenstrom.github.io/justhtml/html-cleaning.html#default-sanitization-policy
-[customized]: https://emilstenstrom.github.io/justhtml/html-cleaning.html#use-a-custom-sanitization-policy
-[nh3]: https://nh3.readthedocs.io/en/latest/
-[bleach]: http://bleach.readthedocs.org/en/latest/
-[bleach-allowlist]: https://github.com/yourcelf/bleach-allowlist
-[^1]: Note that the [bleach] project has been [deprecated](https://github.com/mozilla/bleach/issues/698). 
-However, it may be the only option for some users. 
+    responsibility to ensure that it is properly sanitized. For more
+    information see [Sanitizing HTML Output].
+
+[Sanitizing HTML Output]: sanitization.md
 
 The following options are available on the `markdown.markdown` function:
 
@@ -216,17 +190,12 @@ __tab_length__{: #tab_length }:
 
 !!! warning
 
-    The Python-Markdown library does ***not*** sanitize its HTML output. If
-    you are processing Markdown input from an untrusted source, it is your
-    responsibility to ensure that it is properly sanitized. See [Markdown and
-    XSS] for an overview of some of the dangers and [Improper markup
-    sanitization in popular software] for notes on best practices to ensure
-    HTML is properly sanitized.
-
-    As `markdown.markdownFromFile` writes directly to the file system, there
-    is no easy way to sanitize the output from Python code. Therefore, it is
+    The Python-Markdown library does ***not*** sanitize its HTML output. As
+    `markdown.markdownFromFile` writes directly to the file system, there is
+    no easy way to sanitize the output from Python code. Therefore, it is
     recommended that the `markdown.markdownFromFile` function not be used on
-    input from an untrusted source.
+    input from an untrusted source. For more information see [Sanitizing HTML
+    Output].
 
 With a few exceptions, `markdown.markdownFromFile` accepts the same options as
 `markdown.markdown`. It does **not** accept a `text` (or Unicode) string.
@@ -284,24 +253,8 @@ string must be passed to one of two instance methods.
 
     The Python-Markdown library does ***not*** sanitize its HTML output. If
     you are processing Markdown input from an untrusted source, it is your
-    responsibility to ensure that it is properly sanitized. See [Markdown and
-    XSS] for an overview of some of the dangers and [Improper markup
-    sanitization in popular software] for notes on best practices to ensure
-    HTML is properly sanitized.
-
-    The developers of Python-Markdown recommend using [JustHTML] as a
-    sanitizer on the output of `Markdown.convert`. JustHTML includes a
-    built-in HTML sanitizer. When you pass the HTML output through JustHTML
-    (`JustHTML(md.convert(text), fragment=True).to_html())`), it
-    is sanitized by default according to a strict [allow list policy]. The
-    policy can be [customized] if necessary.
-
-    If you cannot use JustHTML for some reason, some alternatives include
-    [`nh3`][nh3] or [`bleach`][bleach][^1]. However, be aware that those
-    libraries will not be sufficient in themselves and will require
-    customization. Some useful lists of allowed tags and attributes can be
-    found in the [`bleach-allowlist`][bleach-allowlist] library, which should
-    work with either sanitizer.
+    responsibility to ensure that it is properly sanitized. For more
+    information see [Sanitizing HTML Output].
 
 The `source` text must meet the same requirements as the [`text`](#text)
 argument of the [`markdown.markdown`](#markdown) function.
@@ -334,17 +287,12 @@ html3 = md.reset().convert(text3)
 
 !!! warning
 
-    The Python-Markdown library does ***not*** sanitize its HTML output. If
-    you are processing Markdown input from an untrusted source, it is your
-    responsibility to ensure that it is properly sanitized. See [Markdown and
-    XSS] for an overview of some of the dangers and [Improper markup
-    sanitization in popular software] for notes on best practices to ensure
-    HTML is properly sanitized.
-
-    As `Markdown.convertFile` writes directly to the file system, there
-    is no easy way to sanitize the output from Python code. Therefore, it is
-    recommended that the `Markdown.convertFile` method not be used on
-    input from an untrusted source.
+    The Python-Markdown library does ***not*** sanitize its HTML output. As
+    `Markdown.convertFile` writes directly to the file system, there is no
+    easy way to sanitize the output from Python code. Therefore, it is
+    recommended that the `Markdown.convertFile` method not be used on input
+    from an untrusted source.  For more information see [Sanitizing HTML
+    Output].
 
 The arguments of this method are identical to the arguments of the same
 name on the `markdown.markdownFromFile` function ([`input`](#input),

docs/sanitization.md

@@ -0,0 +1,76 @@
+title: Sanitization and Security
+
+# Sanitizing HTML Output
+
+The Python-Markdown library does ***not*** sanitize its HTML output. If you
+are processing Markdown input from an untrusted source, it is your
+responsibility to ensure that it is properly sanitized. See _[Markdown and
+XSS]_ for an overview of some of the dangers and _[Improper markup sanitization
+in popular software]_ for notes on best practices to ensure HTML is properly
+sanitized. With those concerns in mind, some recommendations are provided
+below to ensure that any input from an untrusted source is properly
+sanitized.
+
+That said, if you fully trust the source of your input, you may choose to do
+nothing. Conversely, you may find solutions other than those suggested here.
+However, you do so at your own risk.
+
+## Using JustHTML
+
+[JustHTML] is recommended as a sanitizer on the output of `markdown.markdown`
+or `Markdown.convert`. When you pass HTML output through JustHTML, it is
+sanitized by default according to a strict [allow list policy]. The policy
+can be [customized] if necessary.
+
+``` python
+import markdown
+from justhtml import JustHTML
+
+html =  markdown.markdown(text)
+safe_html = JustHTML(html, fragment=True).to_html()
+```
+
+## Using nh3 or bleach
+
+If you cannot use JustHTML for some reason, some alternatives include [nh3] or
+[bleach][^1]. However, be aware that these libraries will not be sufficient
+in themselves and will require customization. Some useful lists of allowed
+tags and attributes can be found in the [`bleach-allowlist`]
+[bleach-allowlist] library, which should work with both nh3 and bleach as nh3
+mirrors bleach's API.
+
+``` python
+import markdown
+import bleach
+from bleach_allowlist import markdown_tags, markdown_attrs
+
+html =  markdown.markdown(text)
+safe_html = bleach.clean(html, markdown_tags, markdown_attrs)
+```
+
+[^1]: The [bleach] project has been [deprecated](https://github.com/mozilla/bleach/issues/698). 
+However, it may be the only option for some users as [nh3] is a set of Python bindings to a Rust library.
+
+## Sanitizing on the Command Line
+
+Both Python-Markdown and JustHTML provide command line interfaces which read
+from STDIN and write to STDOUT. Therefore, they can be used togeather to
+ensure that the output from untrusted input is properly sanitized.
+
+```sh
+echo "Some **Markdown** text." | python -m markdown | justhtml - --fragment > safe_output.html
+```
+
+For more information on JustHTML's Command Line Interface, see the
+[documentation][JustHTML_CLI]. Use the `--help` option for a list of all available
+options and arguments to the `markdown` command.
+
+[Markdown and XSS]: https://michelf.ca/blog/2010/markdown-and-xss/
+[Improper markup sanitization in popular software]: https://github.com/ChALkeR/notes/blob/master/Improper-markup-sanitization.md
+[JustHTML]: https://emilstenstrom.github.io/justhtml/
+[allow list policy]: https://emilstenstrom.github.io/justhtml/html-cleaning.html#default-sanitization-policy
+[customized]: https://emilstenstrom.github.io/justhtml/html-cleaning.html#use-a-custom-sanitization-policy
+[nh3]: https://nh3.readthedocs.io/en/latest/
+[bleach]: http://bleach.readthedocs.org/en/latest/
+[bleach-allowlist]: https://github.com/yourcelf/bleach-allowlist
+[JustHTML_CLI]: https://emilstenstrom.github.io/justhtml/cli.html

markdown/__main__.py

@@ -49,10 +49,14 @@ def parse_options(args=None, values=None):
     usage = """%prog [options] [INPUTFILE]
        (STDIN is assumed if no INPUTFILE is given)"""
     desc = "A Python implementation of John Gruber's Markdown. " \
-           "https://Python-Markdown.github.io/"
+           "https://python-markdown.github.io/"
     ver = "%%prog %s" % markdown.__version__
+    epilog = "WARNING: The Python-Markdown library does NOT sanitize its HTML output. If " \
+             "you are processing Markdown input from an untrusted source, it is your " \
+             "responsibility to ensure that it is properly sanitized. For more " \
+             "information see <https://python-markdown.github.io/sanitization/>."
 
-    parser = optparse.OptionParser(usage=usage, description=desc, version=ver)
+    parser = optparse.OptionParser(usage=usage, description=desc, version=ver, epilog=epilog)
     parser.add_option("-f", "--file", dest="filename", default=None,
                       help="Write output to OUTPUT_FILE. Defaults to STDOUT.",
                       metavar="OUTPUT_FILE")

mkdocs.yml

@@ -22,6 +22,7 @@ nav:
   - Installation: install.md
   - Library Reference: reference.md
   - Command Line: cli.md
+  - Sanitization and Security: sanitization.md
   - Extensions: extensions/index.md
   - Officially Supported Extensions:
       - Abbreviations: extensions/abbreviations.md