sanitizer: use urlparse from vendored CPython 3.6.14 urllib.parse

Update test_uri_value_allowed_protocols testcases:

  * convert test_invalid_uri_does_not_raise_error into a test case
  * add test case for data: scheme
  * add test case for implicit http for IP and port with path and fragment
  * add test case for relative path URI
  * test "is not allowed by default" test cases against default
    ALLOWED_PROTOCOLS
  * change anchor-only test that doesn't include a domain and add a
    comment to the domain one refs:
    https://github.com/mozilla/bleach/pull/565/files#r568229243

bleach/sanitizer.py

@@ -2,7 +2,7 @@
 import re
 import warnings
 
-from urllib.parse import urlparse
+from bleach._vendor.parse import urlparse
 from xml.sax.saxutils import unescape
 
 from bleach import html5lib_shim

tests/test_clean.py

@@ -4,7 +4,7 @@
 
 from bleach import clean
 from bleach.html5lib_shim import Filter
-from bleach.sanitizer import Cleaner
+from bleach.sanitizer import ALLOWED_PROTOCOLS, Cleaner
 from bleach._vendor.html5lib.constants import rcdataElements
 
 
@@ -56,10 +56,6 @@ def test_html_is_lowercased():
     )
 
 
-def test_invalid_uri_does_not_raise_error():
-    assert clean('<a href="http://example.com]">text</a>') == "<a>text</a>"
-
-
 @pytest.mark.parametrize(
     "data, should_strip, expected",
     [
@@ -469,10 +465,31 @@ def test_attributes_list():
 @pytest.mark.parametrize(
     "data, kwargs, expected",
     [
+        # invalid URI (urlparse raises a ValueError: Invalid IPv6 URL)
+        # is not allowed by default
+        (
+            '<a href="http://example.com]">text</a>',
+            {"protocols": ALLOWED_PROTOCOLS},
+            "<a>text</a>",
+        ),
+        # data protocol is not allowed by default
+        (
+            '<a href="data:text/javascript,prompt(1)">foo</a>',
+            {"protocols": ALLOWED_PROTOCOLS},
+            "<a>foo</a>",
+        ),
         # javascript: is not allowed by default
-        ("<a href=\"javascript:alert('XSS')\">xss</a>", {}, "<a>xss</a>"),
+        (
+            "<a href=\"javascript:alert('XSS')\">xss</a>",
+            {"protocols": ALLOWED_PROTOCOLS},
+            "<a>xss</a>",
+        ),
         # File protocol is not allowed by default
-        ('<a href="file:///tmp/foo">foo</a>', {}, "<a>foo</a>"),
+        (
+            '<a href="file:///tmp/foo">foo</a>',
+            {"protocols": ALLOWED_PROTOCOLS},
+            "<a>foo</a>",
+        ),
         # Specified protocols are allowed
         (
             '<a href="myprotocol://more_text">allowed href</a>',
@@ -486,12 +503,23 @@ def test_attributes_list():
             "<a>invalid href</a>",
         ),
         # Anchors are ok
+        (
+            '<a href="#section-1">foo</a>',
+            {"protocols": []},
+            '<a href="#section-1">foo</a>',
+        ),
+        # Anchor that looks like a domain is ok
         (
             '<a href="#example.com">foo</a>',
             {"protocols": []},
             '<a href="#example.com">foo</a>',
         ),
         # Allow implicit http if allowed
+        (
+            '<a href="/path">valid</a>',
+            {"protocols": ["http"]},
+            '<a href="/path">valid</a>',
+        ),
         (
             '<a href="example.com">valid</a>',
             {"protocols": ["http"]},
@@ -522,6 +550,14 @@ def test_attributes_list():
             {"protocols": ["http"]},
             '<a href="192.168.100.100:8000">valid</a>',
         ),
+        pytest.param(
+            *(
+                '<a href="192.168.100.100:8000/foo#bar">valid</a>',
+                {"protocols": ["http"]},
+                '<a href="192.168.100.100:8000/foo#bar">valid</a>',
+            ),
+            marks=pytest.mark.xfail,
+        ),
         # Disallow implicit http if disallowed
         ('<a href="example.com">foo</a>', {"protocols": []}, "<a>foo</a>"),
         ('<a href="example.com:8000">foo</a>', {"protocols": []}, "<a>foo</a>"),