Replace TravisCI tests run with GitHub actions

.github/workflows/test.yml

@@ -0,0 +1,36 @@
+name: test
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ['3.8', '3.9', '3.10', '3.11', '3.12']
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: pip
+
+      - name: Install tox and coverage
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install --upgrade tox tox-gh-actions coverage
+
+      - name: Test with tox
+        run: tox run -f py$(echo ${{ matrix.python-version }} | tr -d .)
+
+      - name: Generate coverage XML report
+        run: coverage xml
+
+      - name: Upload to Codecov
+        uses: codecov/codecov-action@v3
+        env:
+          PYTHON: ${{matrix.python-version}}
+        with:
+          env_vars: PYTHON

CHANGES.md

@@ -1,6 +1,10 @@
 0.8.20.0
 --------
  - Hotfix for wrong font urls
+ - Bump Summernote to 0.8.13
+ - Drop support for Python<3.8 and Django<3.2
+ - Replaced (deprecated) bleach sanitation usage with nh3. Note that the
+   styles content sanitation is no longer doable.
 
 0.8.19.0
 --------

README.md

@@ -1,6 +1,6 @@
 django-summernote
 =================
-[![Build Status](https://img.shields.io/travis/summernote/django-summernote.svg)](https://travis-ci.org/summernote/django-summernote)
+[![GitHub Actions status](https://github.com/summernote/django-summernote/workflows/test/badge.svg)](https://github.com/summernote/django-summernote/actions)
 [![Coverage Status](https://coveralls.io/repos/github/summernote/django-summernote/badge.svg?branch=master)](https://coveralls.io/github/summernote/django-summernote?branch=master)
 
 [Summernote](https://github.com/summernote/summernote) is a simple WYSIWYG editor.
@@ -119,7 +119,11 @@ Last, please don't forget to use `safe` templatetag while displaying in template
 
     {{ foobar|safe }}
 
-__Warning__: Please mind, that the widget does not provide any escaping. If you expose the widget to external users without taking care of this, it could potentially lead to an injection vulnerability. Therefore you can use the SummernoteTextFormField or SummernoteTextField, which escape all harmful tags through mozilla's package bleach:
+__Warning__: Please mind, that the widget does not provide any escaping. If
+you expose the widget to external users without taking care of this, it could
+potentially lead to an injection vulnerability. Therefore you can use the
+SummernoteTextFormField or SummernoteTextField, which escape all harmful tags
+through nh3 package:
 
 In `forms`,
 ```python

django_summernote/fields.py

@@ -1,8 +1,8 @@
 from django.db import models
 from django.forms import fields
 
-import bleach
-from django_summernote.settings import ALLOWED_TAGS, ATTRIBUTES, STYLES
+import nh3
+from django_summernote.settings import ALLOWED_TAGS, ATTRIBUTES
 from django_summernote.widgets import SummernoteWidget
 
 # code based on https://github.com/shaunsephton/django-ckeditor
@@ -15,8 +15,9 @@ def __init__(self, *args, **kwargs):
 
     def to_python(self, value):
         value = super().to_python(value)
-        return bleach.clean(
-            value, tags=ALLOWED_TAGS, attributes=ATTRIBUTES, styles=STYLES)
+        return nh3.clean(
+            value, tags=ALLOWED_TAGS, attributes=ATTRIBUTES
+        )
 
 
 class SummernoteTextField(models.TextField):
@@ -26,5 +27,6 @@ def formfield(self, **kwargs):
 
     def to_python(self, value):
         value = super().to_python(value)
-        return bleach.clean(
-            value, tags=ALLOWED_TAGS, attributes=ATTRIBUTES, styles=STYLES)
+        return nh3.clean(
+            value, tags=ALLOWED_TAGS, attributes=ATTRIBUTES
+        )

django_summernote/settings.py

@@ -1,15 +1,11 @@
-ALLOWED_TAGS = [
+ALLOWED_TAGS = {
     'a', 'div', 'p', 'span', 'img', 'em', 'i', 'li', 'ol', 'ul', 'strong', 'br',
     'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
     'table', 'tbody', 'thead', 'tr', 'td',
     'abbr', 'acronym', 'b', 'blockquote', 'code', 'strike', 'u', 'sup', 'sub',
-]
-
-STYLES = [
-    'background-color', 'font-size', 'line-height', 'color', 'font-family'
-]
+}
 
 ATTRIBUTES = {
-    '*': ['style', 'align', 'title', ],
-    'a': ['href', ],
+    '*': {'style', 'align', 'title'},
+    'a': {'href'},
 }

django_summernote/test_django_summernote.py

@@ -88,10 +88,10 @@ class SimpleForm(forms.Form):
         assert url in html
         assert 'id="id_foobar"' in html
 
-        illegal_tags = '<script></script>'
+        illegal_tags = '<unknown>dangerous</unknown>'
         form_field = SummernoteTextFormField()
         cleaned_text = form_field.clean(illegal_tags)
-        self.assertEqual(cleaned_text, '&lt;script&gt;&lt;/script&gt;')
+        self.assertEqual(cleaned_text, 'dangerous')
 
     def test_field(self):
         from django import forms
@@ -112,11 +112,11 @@ class Meta:
         assert url in html
         assert 'id="id_foobar"' in html
 
-        illegal_tags = '<script></script>'
+        illegal_tags = '<unknown>dangerous</unknown>'
         model_field = SummernoteTextField()
         model_instance = SimpleModel1()
         cleaned_text = model_field.clean(illegal_tags, model_instance)
-        self.assertEqual(cleaned_text, '&lt;script&gt;&lt;/script&gt;')
+        self.assertEqual(cleaned_text, 'dangerous')
 
     def test_empty(self):
         from django import forms

django_summernote/test_settings.py

@@ -18,6 +18,8 @@
 MEDIA_URL = '/media/'
 MEDIA_ROOT = 'test_media'
 
+USE_TZ = True
+
 SECRET_KEY = 'django_summernote'
 
 ROOT_URLCONF = 'django_summernote.urls'

requirements.txt

@@ -0,0 +1,2 @@
+django
+nh3

setup.py

@@ -13,10 +13,11 @@
     'License :: OSI Approved :: MIT License',
     'Programming Language :: Python :: 3',
     'Programming Language :: Python :: 3 :: Only',
-    'Programming Language :: Python :: 3.6',
-    'Programming Language :: Python :: 3.7',
     'Programming Language :: Python :: 3.8',
     'Programming Language :: Python :: 3.9',
+    'Programming Language :: Python :: 3.10',
+    'Programming Language :: Python :: 3.11',
+    'Programming Language :: Python :: 3.12',
     'Programming Language :: Python',
     'Topic :: Internet :: WWW/HTTP',
     'Topic :: Software Development :: Libraries :: Python Modules',
@@ -32,12 +33,12 @@
 
     author='django-summernote contributors',
     maintainer='django-summernote maintainers',
-    url='http://github.com/summernote/django-summernote',
+    url='https://github.com/summernote/django-summernote',
 
     description='Summernote plugin for Django',
     classifiers=CLASSIFIERS,
 
-    install_requires=['django', 'bleach'],
+    install_requires=['django', 'nh3'],
     extras_require={
         'dev': [
             'django-dummy-plug',

tox.ini

@@ -1,33 +1,28 @@
 [tox]
 envlist =
-    {py36,py37}-{dj202,dj300,dj301,dj302}
-    {py38,py39}-{dj202,dj300,dj301,dj302,dj400,djmain}
+    {py38,py39,py310}-{django32}
+    {py310,py311,py312}-{django42,django50,djangomain}
 
-[travis]
+[gh-actions]
 python =
-    3.6: py36
-    3.7: py37
     3.8: py38
     3.9: py39
+    3.10: py310
+    3.11: py311
+    3.12: py312
 
 [testenv]
-basepython =
-    py36: python3.6
-    py37: python3.7
-    py38: python3.8
-    py39: python3.9
-
 extras =
     dev
 
 deps =
     coverage
+    django-dummy-plug
+    nh3
 
-    dj202: Django<2.3
-    dj300: Django<3.1
-    dj301: Django<3.2
-    dj302: Django<3.3
-    dj400: Django==4.0a1
-    djmain: https://github.com/django/django/archive/main.tar.gz
+    django32: Django>=3.2,<4.0
+    django42: Django>=4.2,<5.0
+    django50: Django>=5.0,<5.1
+    djangomain: https://github.com/django/django/archive/master.tar.gz
 
 commands = coverage run -m pytest