Allow restricting the list of attributes able to be set with attr_list

[puiterwijk]

Signed-off-by: Patrick Uiterwijk patrick@puiterwijk.org

[waylan]

Thanks for your contribution. It hadn't occurred to me to do this. Regardless, I'm not sure its a good idea (or that it fits with our goals).

For example, some attributes are only valid on some HTML elements, but not others. We don't do anything to address that. Perhaps a user wants to allow a certain attribute on some elements, but not others.

Additionally, you didn't include an exclude option. What if a user wants to include everything except one attribute. With the current approach, she has to list every single possible attribute except that one. An exclude option with one item listed would be much preferable.

All of the above sounds an awful lot like an HTML sanitizer. A tool which has a very valid use case. However, such tools already exist and can be run on the HTML output by Markdown. As it stands, the Markdown parser cannot guarantee that its output is safe (see this excellent explanation). In fact, in the upcoming version 3.0, the current safe_mode will no longer be supported. If you want "safe" output, you need to use an HTML sanitizer. I recommend Bleach with bleach whitelist as a good place to start for a set of rules to pass to Bleach.

Given the above, and the current direction that Python-Markdown is heading, I don't think it makes sense to make this change. The same can be accomplished much more thoroughly via a HTML sanitizer.

[waylan]

As an aside, as long as you conform to the license, you are always welcome to fork the built-in extension and maintain your own which offers whatever features you desire.