cherry-pick alphabetical attributes fix and update CHANGES/CONTRIBUTORS

CHANGES

@@ -1,6 +1,25 @@
 Bleach changes
 ==============
 
+Version 5.0.0 (In development)
+------------------------------
+
+**Backwards incompatible changes**
+
+* ``clean`` and ``linkify`` now preserve the order of HTML attributes. Thank
+  you, @askoretskly! (#566)
+
+* Drop support for Python 3.6. Thank you, @hugovk! (#629)
+
+**Bug fixes**
+
+* Rework dev dependencies. We no longer have
+  ``requirements-dev.in``/``requirements-dev.txt``. Instead, we're using
+  ``dev`` extras.
+
+  See `development docs <https://bleach.readthedocs.io/en/latest/dev.html>`_
+  for more details. (#620)
+
 Version 4.1.0 (August 25th, 2021)
 ---------------------------------
 
@@ -11,14 +30,14 @@ Version 4.1.0 (August 25th, 2021)
 **Bug fixes**
 
 * Update sanitizer clean to use vendored 3.6.14 stdlib urllib.parse to
-  fix test failures on Python 3.9 #536
+  fix test failures on Python 3.9. (#536)
 
 Version 4.0.0 (August 3rd, 2021)
 --------------------------------
 
 **Backwards incompatible changes**
 
-* Drop support for unsupported Python versions <3.6 #520
+* Drop support for unsupported Python versions <3.6. (#520)
 
 **Security fixes**
 
@@ -45,7 +64,7 @@ None
 
 **Bug fixes**
 
-* remove extra vendored django present in the v3.3.0 whl #595
+* remove extra vendored django present in the v3.3.0 whl (#595)
 * duplicate h1 header doc fix (thanks Nguyễn Gia Phong / @McSinyx!)
 
 Version 3.3.0 (February 1st, 2021)
@@ -111,7 +130,7 @@ None
 **Bug fixes**
 
 * change linkifier to add rel="nofollow" as documented. Thank you @mitar.
-* suppress html5lib sanitizer DeprecationWarnings #557
+* suppress html5lib sanitizer DeprecationWarnings (#557)
 
 Version 3.2.0 (September 16th, 2020)
 ------------------------------------
@@ -545,9 +564,9 @@ Version 2.0 (March 8th, 2017)
 
 **Backwards incompatible changes**
 
-* Removed support for Python 2.6. #206
+* Removed support for Python 2.6. (#206)
 
-* Removed support for Python 3.2. #224
+* Removed support for Python 3.2. (#224)
 
 * Bleach no longer supports html5lib < 0.99999999 (8 9s).
 
@@ -660,32 +679,32 @@ Version 1.5 (November 4th, 2016)
 
   Previously it was a long list of protocols something like ed2k, ftp, http,
   https, irc, mailto, news, gopher, nntp, telnet, webcal, xmpp, callto, feed,
-  urn, aim, rsync, tag, ssh, sftp, rtsp, afs, data. #149
+  urn, aim, rsync, tag, ssh, sftp, rtsp, afs, data. (#149)
 
 **Changes**
 
 * clean: Added ``protocols`` to arguments list to let you override the list of
-  allowed protocols. Thank you, Andreas Malecki! #149
+  allowed protocols. Thank you, Andreas Malecki! (#149)
 
 * linkify: Fix a bug involving periods at the end of an email address. Thank you,
-  Lorenz Schori! #219
+  Lorenz Schori! (#219)
 
 * linkify: Fix linkification of non-ascii ports. Thank you Alexandre, Macabies!
-  #207
+  (#207)
 
 * linkify: Fix linkify inappropriately removing node tails when dropping nodes.
-  #132
+  (#132)
 
-* Fixed a test that failed periodically. #161
+* Fixed a test that failed periodically. (#161)
 
-* Switched from nose to py.test. #204
+* Switched from nose to py.test. (#204)
 
-* Add test matrix for all supported Python and html5lib versions. #230
+* Add test matrix for all supported Python and html5lib versions. (#230)
 
 * Limit to html5lib ``>=0.999,!=0.9999,!=0.99999,<0.99999999`` because 0.9999
   and 0.99999 are busted.
 
-* Add support for ``python setup.py test``. #97
+* Add support for ``python setup.py test``. (#97)
 
 
 Version 1.4.3 (May 23rd, 2016)
@@ -706,13 +725,13 @@ Version 1.4.2 (September 11, 2015)
 
 **Changes**
 
-* linkify: Fix hang in linkify with ``parse_email=True``. #124
+* linkify: Fix hang in linkify with ``parse_email=True``. (#124)
 
-* linkify: Fix crash in linkify when removing a link that is a first-child. #136
+* linkify: Fix crash in linkify when removing a link that is a first-child. (#136)
 
 * Updated TLDs.
 
-* linkify: Don't remove exterior brackets when linkifying. #146
+* linkify: Don't remove exterior brackets when linkifying. (#146)
 
 
 Version 1.4.1 (December 15, 2014)

CONTRIBUTORS

@@ -29,6 +29,7 @@ Contributors:
 - Antoine Leclair
 - Anton Backer
 - Anton Kovalyov
+- askoretskiy
 - Benjamin Peterson
 - Chad Birch
 - CheesyFeet

bleach/__init__.py

@@ -12,9 +12,9 @@
 
 
 # yyyymmdd
-__releasedate__ = "20210825"
+__releasedate__ = ""
 # x.y.z or x.y.z.dev0 -- semver
-__version__ = "4.1.0"
+__version__ = "5.0.0.dev0"
 
 
 __all__ = ["clean", "linkify"]

bleach/linkifier.py

@@ -2,7 +2,6 @@
 
 from bleach import callbacks as linkify_callbacks
 from bleach import html5lib_shim
-from bleach.utils import alphabetize_attributes
 
 
 #: List of default callbacks
@@ -155,7 +154,7 @@ def __init__(
             omit_optional_tags=False,
             # linkify does not sanitize
             sanitize=False,
-            # linkify alphabetizes
+            # linkify preserves attr order
             alphabetical_attributes=False,
         )
 
@@ -316,7 +315,6 @@ def handle_email_addresses(self, src_iter):
                     else:
                         # Add an "a" tag for the new link
                         _text = attrs.pop("_text", "")
-                        attrs = alphabetize_attributes(attrs)
                         new_tokens.extend(
                             [
                                 {"type": "StartTag", "name": "a", "data": attrs},
@@ -438,8 +436,6 @@ def handle_links(self, src_iter):
                             new_tokens.append({"type": "Characters", "data": prefix})
 
                         _text = attrs.pop("_text", "")
-                        attrs = alphabetize_attributes(attrs)
-
                         new_tokens.extend(
                             [
                                 {"type": "StartTag", "name": "a", "data": attrs},
@@ -491,7 +487,7 @@ def handle_a_tag(self, token_buffer):
 
         else:
             new_text = attrs.pop("_text", "")
-            a_token["data"] = alphabetize_attributes(attrs)
+            a_token["data"] = attrs
 
             if text == new_text:
                 # The callbacks didn't change the text, so we yield the new "a"

bleach/sanitizer.py

@@ -6,7 +6,6 @@
 from xml.sax.saxutils import unescape
 
 from bleach import html5lib_shim
-from bleach.utils import alphabetize_attributes
 
 
 #: List of allowed tags
@@ -143,7 +142,7 @@ def __init__(
             resolve_entities=False,
             # Bleach has its own sanitizer, so don't use the html5lib one
             sanitize=False,
-            # Bleach sanitizer alphabetizes already, so don't use the html5lib one
+            # clean preserves attr order
             alphabetical_attributes=False,
         )
 
@@ -357,10 +356,6 @@ def sanitize_token(self, token):
                 return None
 
             else:
-                if "data" in token:
-                    # Alphabetize the attributes before calling .disallowed_token()
-                    # so that the resulting string is stable
-                    token["data"] = alphabetize_attributes(token["data"])
                 return self.disallowed_token(token)
 
         elif token_type == "Comment":
@@ -551,7 +546,7 @@ def allow_token(self, token):
                 # At this point, we want to keep the attribute, so add it in
                 attrs[namespaced_name] = val
 
-            token["data"] = alphabetize_attributes(attrs)
+            token["data"] = attrs
 
         return token
 

docs/clean.rst

@@ -371,7 +371,7 @@ Trivial Filter example:
    >>> cleaner = Cleaner(tags=TAGS, attributes=ATTRS, filters=[MooFilter])
    >>> dirty = 'this is cute! <img src="http://example.com/puppy.jpg" rel="nofollow">'
    >>> cleaner.clean(dirty)
-   'this is cute! <img rel="moo" src="moo">'
+   'this is cute! <img src="moo" rel="moo">'
 
 
 .. Warning::

docs/linkify.rst

@@ -123,7 +123,7 @@ an external link:
    ...
    >>> linker = Linker(callbacks=[set_target])
    >>> linker.linkify('abc http://example.com def')
-   'abc <a class="external" href="http://example.com" target="_blank">http://example.com</a> def'
+   'abc <a href="http://example.com" target="_blank" class="external">http://example.com</a> def'
 
 
 Removing Attributes

tests/test_clean.py

@@ -625,7 +625,7 @@ def test_svg_attr_val_allows_ref():
     [
         (
             '<svg><pattern id="patt1" href="#patt2"></pattern></svg>',
-            '<svg><pattern href="#patt2" id="patt1"></pattern></svg>',
+            '<svg><pattern id="patt1" href="#patt2"></pattern></svg>',
         ),
         (
             '<svg><pattern id="patt1" xlink:href="#patt2"></pattern></svg>',
@@ -1116,6 +1116,13 @@ def test_regressions(test_case):
     assert clean(test_data) == expected
 
 
+def test_preserves_attributes_order():
+    html = """<a target="_blank" href="https://example.com">Link</a>"""
+    cleaned_html = clean(html, tags=["a"], attributes={"a": ["href", "target"]})
+
+    assert cleaned_html == html
+
+
 class TestCleaner:
     def test_basics(self):
         TAGS = ["span", "br"]
@@ -1145,4 +1152,4 @@ def __iter__(self):
         cleaner = Cleaner(tags=TAGS, attributes=ATTRS, filters=[MooFilter])
 
         dirty = 'this is cute! <img src="http://example.com/puppy.jpg" rel="nofollow">'
-        assert cleaner.clean(dirty) == 'this is cute! <img rel="moo" src="moo">'
+        assert cleaner.clean(dirty) == 'this is cute! <img src="moo" rel="moo">'