Add support for DangerousRawHtml

Author: MaddyGuthridge

pyhtml/__init__.py

@@ -254,6 +254,7 @@
 from .__tags import input_, object_
 
 __all__ = [
+    'DangerousRawHtml',
     'Tag',
     'Comment',
     'input_',
@@ -375,6 +376,7 @@
 
 
 from .__tags import (
+    DangerousRawHtml,
     html,
     base,
     head,

pyhtml/__tag_base.py

@@ -129,6 +129,17 @@ class Comment(Tag):
     Note that this does not render as a `<comment>` tag
     """
     def __init__(self, text: str) -> None:
+        """
+        An HTML comment.
+
+        Renders as:
+
+        ```html
+        <!-- [comment text] -->
+        ```
+
+        Note that this does not render as a `<comment>` tag
+        """
         self.comment_data = text
         super().__init__()
 

pyhtml/__tags/__init__.py

@@ -6,11 +6,14 @@
 # Re-export renamed versions of tags
 from .renames import input_, object_
 from .input import input
+from .dangerous_raw_html import DangerousRawHtml
 
 # Copy this into pyhtml/__tags/__init__.py
 __all__ = [
     # This one is generated by hand
     'input',
+    # These are extra features of PyHTML enhanced
+    'DangerousRawHtml',
     # These two are renamed
     'input_',
     'object_',

pyhtml/__tags/dangerous_raw_html.py

@@ -0,0 +1,48 @@
+"""
+# PyHTML Enhanced /  Tags / Dangerous raw HTML
+
+Definition for the DangerousRawHtml tag.
+"""
+from ..__tag_base import Tag
+
+
+class DangerousRawHtml(Tag):
+    """
+    Raw HTML as a string. This is embedded directly within the rendered output.
+
+    ## Warning
+
+    This will blindly accept any text as HTML, which is EXTREMELY DANGEROUS!
+    (Mis)using this could result in issues ranging from broken output to major
+    security vulnerabilities such as
+    [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting).
+
+    Do not use this unless absolutely necessary.
+    """
+    def __init__(self, text: str) -> None:
+        """
+        Raw HTML as a string. This is embedded directly within the rendered
+        output.
+
+        ## Warning
+
+        This will blindly accept any text as HTML, which is EXTREMELY
+        DANGEROUS! (Mis)using this could result in issues ranging from broken
+        output to major security vulnerabilities such as
+        [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting).
+
+        Do not use this unless absolutely necessary.
+        """
+        self.html_data = text
+        super().__init__()
+
+    def __call__(self):
+        raise TypeError('DangerousRawHtml tags are not callable')
+
+    def _get_tag_name(self) -> str:
+        # Ignore coverage since this is only implemented to satisfy inheritance
+        # and is never used since we override _render
+        return '!!!DANGEROUS RAW HTML!!!'  # pragma: no cover
+
+    def _render(self) -> list[str]:
+        return self.html_data.splitlines()

tests/basic_rendering_test.py

@@ -17,6 +17,7 @@
     br,
     input,
     a,
+    DangerousRawHtml,
 )
 
 
@@ -248,3 +249,21 @@ def test_boolean_tag_attributes_false():
     Attributes with value `False` are skipped
     """
     assert str(input(readonly=False)) == "<input/>"
+
+
+def test_dangerous_raw_html():
+    """
+    Is raw HTML rendered correctly?
+    """
+    assert str(DangerousRawHtml("<script>alert(1)</script>")) \
+        == "<script>alert(1)</script>"
+
+    assert str(
+        html(
+            DangerousRawHtml("<script>alert(1)</script>")
+        )
+    ) == "\n".join([
+        "<html>",
+        "  <script>alert(1)</script>",
+        "</html>",
+    ])