Mercurial > genshi > genshi-test
annotate genshi/filters/tests/html.py @ 820:1837f39efd6f experimental-inline
Sync (old) experimental inline branch with trunk@1027.
author | cmlenz |
---|---|
date | Wed, 11 Mar 2009 17:51:06 +0000 |
parents | 0742f421caba |
children | 09cc3627654c |
rev | line source |
---|---|
500 | 1 # -*- coding: utf-8 -*- |
2 # | |
820
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
3 # Copyright (C) 2006-2008 Edgewall Software |
500 | 4 # All rights reserved. |
5 # | |
6 # This software is licensed as described in the file COPYING, which | |
7 # you should have received as part of this distribution. The terms | |
8 # are also available at http://genshi.edgewall.org/wiki/License. | |
9 # | |
10 # This software consists of voluntary contributions made by many | |
11 # individuals. For the exact contribution history, see the revision | |
12 # history and logs, available at http://genshi.edgewall.org/log/. | |
13 | |
14 import doctest | |
15 import unittest | |
16 | |
17 from genshi.input import HTML, ParseError | |
18 from genshi.filters.html import HTMLFormFiller, HTMLSanitizer | |
820
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
19 from genshi.template import MarkupTemplate |
500 | 20 |
21 class HTMLFormFillerTestCase(unittest.TestCase): | |
22 | |
23 def test_fill_input_text_no_value(self): | |
24 html = HTML("""<form><p> | |
25 <input type="text" name="foo" /> | |
26 </p></form>""") | HTMLFormFiller() | |
27 self.assertEquals("""<form><p> | |
28 <input type="text" name="foo"/> | |
29 </p></form>""", unicode(html)) | |
30 | |
31 def test_fill_input_text_single_value(self): | |
32 html = HTML("""<form><p> | |
33 <input type="text" name="foo" /> | |
34 </p></form>""") | HTMLFormFiller(data={'foo': 'bar'}) | |
35 self.assertEquals("""<form><p> | |
36 <input type="text" name="foo" value="bar"/> | |
37 </p></form>""", unicode(html)) | |
38 | |
39 def test_fill_input_text_multi_value(self): | |
40 html = HTML("""<form><p> | |
41 <input type="text" name="foo" /> | |
42 </p></form>""") | HTMLFormFiller(data={'foo': ['bar']}) | |
43 self.assertEquals("""<form><p> | |
44 <input type="text" name="foo" value="bar"/> | |
45 </p></form>""", unicode(html)) | |
46 | |
47 def test_fill_input_hidden_no_value(self): | |
48 html = HTML("""<form><p> | |
49 <input type="hidden" name="foo" /> | |
50 </p></form>""") | HTMLFormFiller() | |
51 self.assertEquals("""<form><p> | |
52 <input type="hidden" name="foo"/> | |
53 </p></form>""", unicode(html)) | |
54 | |
55 def test_fill_input_hidden_single_value(self): | |
56 html = HTML("""<form><p> | |
57 <input type="hidden" name="foo" /> | |
58 </p></form>""") | HTMLFormFiller(data={'foo': 'bar'}) | |
59 self.assertEquals("""<form><p> | |
60 <input type="hidden" name="foo" value="bar"/> | |
61 </p></form>""", unicode(html)) | |
62 | |
63 def test_fill_input_hidden_multi_value(self): | |
64 html = HTML("""<form><p> | |
65 <input type="hidden" name="foo" /> | |
66 </p></form>""") | HTMLFormFiller(data={'foo': ['bar']}) | |
67 self.assertEquals("""<form><p> | |
68 <input type="hidden" name="foo" value="bar"/> | |
69 </p></form>""", unicode(html)) | |
70 | |
71 def test_fill_textarea_no_value(self): | |
72 html = HTML("""<form><p> | |
73 <textarea name="foo"></textarea> | |
74 </p></form>""") | HTMLFormFiller() | |
75 self.assertEquals("""<form><p> | |
76 <textarea name="foo"/> | |
77 </p></form>""", unicode(html)) | |
78 | |
79 def test_fill_textarea_single_value(self): | |
80 html = HTML("""<form><p> | |
81 <textarea name="foo"></textarea> | |
82 </p></form>""") | HTMLFormFiller(data={'foo': 'bar'}) | |
83 self.assertEquals("""<form><p> | |
84 <textarea name="foo">bar</textarea> | |
85 </p></form>""", unicode(html)) | |
86 | |
87 def test_fill_textarea_multi_value(self): | |
88 html = HTML("""<form><p> | |
89 <textarea name="foo"></textarea> | |
90 </p></form>""") | HTMLFormFiller(data={'foo': ['bar']}) | |
91 self.assertEquals("""<form><p> | |
92 <textarea name="foo">bar</textarea> | |
93 </p></form>""", unicode(html)) | |
94 | |
95 def test_fill_input_checkbox_no_value(self): | |
96 html = HTML("""<form><p> | |
97 <input type="checkbox" name="foo" /> | |
98 </p></form>""") | HTMLFormFiller() | |
99 self.assertEquals("""<form><p> | |
100 <input type="checkbox" name="foo"/> | |
101 </p></form>""", unicode(html)) | |
102 | |
103 def test_fill_input_checkbox_single_value_auto(self): | |
104 html = HTML("""<form><p> | |
105 <input type="checkbox" name="foo" /> | |
106 </p></form>""") | |
107 self.assertEquals("""<form><p> | |
108 <input type="checkbox" name="foo"/> | |
109 </p></form>""", unicode(html | HTMLFormFiller(data={'foo': ''}))) | |
110 self.assertEquals("""<form><p> | |
111 <input type="checkbox" name="foo" checked="checked"/> | |
112 </p></form>""", unicode(html | HTMLFormFiller(data={'foo': 'on'}))) | |
113 | |
114 def test_fill_input_checkbox_single_value_defined(self): | |
115 html = HTML("""<form><p> | |
116 <input type="checkbox" name="foo" value="1" /> | |
117 </p></form>""") | |
118 self.assertEquals("""<form><p> | |
119 <input type="checkbox" name="foo" value="1" checked="checked"/> | |
120 </p></form>""", unicode(html | HTMLFormFiller(data={'foo': '1'}))) | |
121 self.assertEquals("""<form><p> | |
122 <input type="checkbox" name="foo" value="1"/> | |
123 </p></form>""", unicode(html | HTMLFormFiller(data={'foo': '2'}))) | |
124 | |
125 def test_fill_input_checkbox_multi_value_auto(self): | |
126 html = HTML("""<form><p> | |
127 <input type="checkbox" name="foo" /> | |
128 </p></form>""") | |
129 self.assertEquals("""<form><p> | |
130 <input type="checkbox" name="foo"/> | |
131 </p></form>""", unicode(html | HTMLFormFiller(data={'foo': []}))) | |
132 self.assertEquals("""<form><p> | |
133 <input type="checkbox" name="foo" checked="checked"/> | |
134 </p></form>""", unicode(html | HTMLFormFiller(data={'foo': ['on']}))) | |
135 | |
136 def test_fill_input_checkbox_multi_value_defined(self): | |
137 html = HTML("""<form><p> | |
138 <input type="checkbox" name="foo" value="1" /> | |
139 </p></form>""") | |
140 self.assertEquals("""<form><p> | |
141 <input type="checkbox" name="foo" value="1" checked="checked"/> | |
142 </p></form>""", unicode(html | HTMLFormFiller(data={'foo': ['1']}))) | |
143 self.assertEquals("""<form><p> | |
144 <input type="checkbox" name="foo" value="1"/> | |
145 </p></form>""", unicode(html | HTMLFormFiller(data={'foo': ['2']}))) | |
146 | |
147 def test_fill_input_radio_no_value(self): | |
148 html = HTML("""<form><p> | |
149 <input type="radio" name="foo" /> | |
150 </p></form>""") | HTMLFormFiller() | |
151 self.assertEquals("""<form><p> | |
152 <input type="radio" name="foo"/> | |
153 </p></form>""", unicode(html)) | |
154 | |
155 def test_fill_input_radio_single_value(self): | |
156 html = HTML("""<form><p> | |
157 <input type="radio" name="foo" value="1" /> | |
158 </p></form>""") | |
159 self.assertEquals("""<form><p> | |
160 <input type="radio" name="foo" value="1" checked="checked"/> | |
161 </p></form>""", unicode(html | HTMLFormFiller(data={'foo': '1'}))) | |
162 self.assertEquals("""<form><p> | |
163 <input type="radio" name="foo" value="1"/> | |
164 </p></form>""", unicode(html | HTMLFormFiller(data={'foo': '2'}))) | |
165 | |
166 def test_fill_input_radio_multi_value(self): | |
167 html = HTML("""<form><p> | |
168 <input type="radio" name="foo" value="1" /> | |
169 </p></form>""") | |
170 self.assertEquals("""<form><p> | |
171 <input type="radio" name="foo" value="1" checked="checked"/> | |
172 </p></form>""", unicode(html | HTMLFormFiller(data={'foo': ['1']}))) | |
173 self.assertEquals("""<form><p> | |
174 <input type="radio" name="foo" value="1"/> | |
175 </p></form>""", unicode(html | HTMLFormFiller(data={'foo': ['2']}))) | |
176 | |
177 def test_fill_select_no_value_auto(self): | |
178 html = HTML("""<form><p> | |
179 <select name="foo"> | |
180 <option>1</option> | |
181 <option>2</option> | |
182 <option>3</option> | |
183 </select> | |
184 </p></form>""") | HTMLFormFiller() | |
185 self.assertEquals("""<form><p> | |
186 <select name="foo"> | |
187 <option>1</option> | |
188 <option>2</option> | |
189 <option>3</option> | |
190 </select> | |
191 </p></form>""", unicode(html)) | |
192 | |
193 def test_fill_select_no_value_defined(self): | |
194 html = HTML("""<form><p> | |
195 <select name="foo"> | |
196 <option value="1">1</option> | |
197 <option value="2">2</option> | |
198 <option value="3">3</option> | |
199 </select> | |
200 </p></form>""") | HTMLFormFiller() | |
201 self.assertEquals("""<form><p> | |
202 <select name="foo"> | |
203 <option value="1">1</option> | |
204 <option value="2">2</option> | |
205 <option value="3">3</option> | |
206 </select> | |
207 </p></form>""", unicode(html)) | |
208 | |
209 def test_fill_select_single_value_auto(self): | |
210 html = HTML("""<form><p> | |
211 <select name="foo"> | |
212 <option>1</option> | |
213 <option>2</option> | |
214 <option>3</option> | |
215 </select> | |
216 </p></form>""") | HTMLFormFiller(data={'foo': '1'}) | |
217 self.assertEquals("""<form><p> | |
218 <select name="foo"> | |
219 <option selected="selected">1</option> | |
220 <option>2</option> | |
221 <option>3</option> | |
222 </select> | |
223 </p></form>""", unicode(html)) | |
224 | |
225 def test_fill_select_single_value_defined(self): | |
226 html = HTML("""<form><p> | |
227 <select name="foo"> | |
228 <option value="1">1</option> | |
229 <option value="2">2</option> | |
230 <option value="3">3</option> | |
231 </select> | |
232 </p></form>""") | HTMLFormFiller(data={'foo': '1'}) | |
233 self.assertEquals("""<form><p> | |
234 <select name="foo"> | |
235 <option value="1" selected="selected">1</option> | |
236 <option value="2">2</option> | |
237 <option value="3">3</option> | |
238 </select> | |
239 </p></form>""", unicode(html)) | |
240 | |
241 def test_fill_select_multi_value_auto(self): | |
242 html = HTML("""<form><p> | |
243 <select name="foo" multiple> | |
244 <option>1</option> | |
245 <option>2</option> | |
246 <option>3</option> | |
247 </select> | |
248 </p></form>""") | HTMLFormFiller(data={'foo': ['1', '3']}) | |
249 self.assertEquals("""<form><p> | |
250 <select name="foo" multiple="multiple"> | |
251 <option selected="selected">1</option> | |
252 <option>2</option> | |
253 <option selected="selected">3</option> | |
254 </select> | |
255 </p></form>""", unicode(html)) | |
256 | |
257 def test_fill_select_multi_value_defined(self): | |
258 html = HTML("""<form><p> | |
259 <select name="foo" multiple> | |
260 <option value="1">1</option> | |
261 <option value="2">2</option> | |
262 <option value="3">3</option> | |
263 </select> | |
264 </p></form>""") | HTMLFormFiller(data={'foo': ['1', '3']}) | |
265 self.assertEquals("""<form><p> | |
266 <select name="foo" multiple="multiple"> | |
267 <option value="1" selected="selected">1</option> | |
268 <option value="2">2</option> | |
269 <option value="3" selected="selected">3</option> | |
270 </select> | |
271 </p></form>""", unicode(html)) | |
272 | |
820
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
273 def test_fill_option_segmented_text(self): |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
274 html = MarkupTemplate("""<form> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
275 <select name="foo"> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
276 <option value="1">foo $x</option> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
277 </select> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
278 </form>""").generate(x=1) | HTMLFormFiller(data={'foo': '1'}) |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
279 self.assertEquals("""<form> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
280 <select name="foo"> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
281 <option value="1" selected="selected">foo 1</option> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
282 </select> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
283 </form>""", unicode(html)) |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
284 |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
285 def test_fill_option_segmented_text_no_value(self): |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
286 html = MarkupTemplate("""<form> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
287 <select name="foo"> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
288 <option>foo $x bar</option> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
289 </select> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
290 </form>""").generate(x=1) | HTMLFormFiller(data={'foo': 'foo 1 bar'}) |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
291 self.assertEquals("""<form> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
292 <select name="foo"> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
293 <option selected="selected">foo 1 bar</option> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
294 </select> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
295 </form>""", unicode(html)) |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
296 |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
297 def test_fill_option_unicode_value(self): |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
298 html = HTML(u"""<form> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
299 <select name="foo"> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
300 <option value="ö">foo</option> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
301 </select> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
302 </form>""") | HTMLFormFiller(data={'foo': u'ƶ'}) |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
303 self.assertEquals(u"""<form> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
304 <select name="foo"> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
305 <option value="ƶ" selected="selected">foo</option> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
306 </select> |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
307 </form>""", unicode(html)) |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
308 |
500 | 309 |
310 class HTMLSanitizerTestCase(unittest.TestCase): | |
311 | |
312 def test_sanitize_unchanged(self): | |
313 html = HTML('<a href="#">fo<br />o</a>') | |
314 self.assertEquals(u'<a href="#">fo<br/>o</a>', | |
315 unicode(html | HTMLSanitizer())) | |
316 | |
317 def test_sanitize_escape_text(self): | |
318 html = HTML('<a href="#">fo&</a>') | |
319 self.assertEquals(u'<a href="#">fo&</a>', | |
320 unicode(html | HTMLSanitizer())) | |
321 html = HTML('<a href="#"><foo></a>') | |
322 self.assertEquals(u'<a href="#"><foo></a>', | |
323 unicode(html | HTMLSanitizer())) | |
324 | |
325 def test_sanitize_entityref_text(self): | |
326 html = HTML('<a href="#">foö</a>') | |
327 self.assertEquals(u'<a href="#">foƶ</a>', | |
328 unicode(html | HTMLSanitizer())) | |
329 | |
330 def test_sanitize_escape_attr(self): | |
331 html = HTML('<div title="<foo>"></div>') | |
332 self.assertEquals(u'<div title="<foo>"/>', | |
333 unicode(html | HTMLSanitizer())) | |
334 | |
335 def test_sanitize_close_empty_tag(self): | |
336 html = HTML('<a href="#">fo<br>o</a>') | |
337 self.assertEquals(u'<a href="#">fo<br/>o</a>', | |
338 unicode(html | HTMLSanitizer())) | |
339 | |
340 def test_sanitize_invalid_entity(self): | |
341 html = HTML('&junk;') | |
342 self.assertEquals('&junk;', unicode(html | HTMLSanitizer())) | |
343 | |
344 def test_sanitize_remove_script_elem(self): | |
345 html = HTML('<script>alert("Foo")</script>') | |
346 self.assertEquals(u'', unicode(html | HTMLSanitizer())) | |
347 html = HTML('<SCRIPT SRC="http://example.com/"></SCRIPT>') | |
348 self.assertEquals(u'', unicode(html | HTMLSanitizer())) | |
349 self.assertRaises(ParseError, HTML, '<SCR\0IPT>alert("foo")</SCR\0IPT>') | |
350 self.assertRaises(ParseError, HTML, | |
351 '<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>') | |
352 | |
353 def test_sanitize_remove_onclick_attr(self): | |
354 html = HTML('<div onclick=\'alert("foo")\' />') | |
355 self.assertEquals(u'<div/>', unicode(html | HTMLSanitizer())) | |
356 | |
820
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
357 def test_sanitize_remove_comments(self): |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
358 html = HTML('''<div><!-- conditional comment crap --></div>''') |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
359 self.assertEquals(u'<div/>', unicode(html | HTMLSanitizer())) |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
360 |
500 | 361 def test_sanitize_remove_style_scripts(self): |
362 sanitizer = HTMLSanitizer(safe_attrs=HTMLSanitizer.SAFE_ATTRS | set(['style'])) | |
363 # Inline style with url() using javascript: scheme | |
364 html = HTML('<DIV STYLE=\'background: url(javascript:alert("foo"))\'>') | |
365 self.assertEquals(u'<div/>', unicode(html | sanitizer)) | |
366 # Inline style with url() using javascript: scheme, using control char | |
367 html = HTML('<DIV STYLE=\'background: url(javascript:alert("foo"))\'>') | |
368 self.assertEquals(u'<div/>', unicode(html | sanitizer)) | |
369 # Inline style with url() using javascript: scheme, in quotes | |
370 html = HTML('<DIV STYLE=\'background: url("javascript:alert(foo)")\'>') | |
371 self.assertEquals(u'<div/>', unicode(html | sanitizer)) | |
372 # IE expressions in CSS not allowed | |
373 html = HTML('<DIV STYLE=\'width: expression(alert("foo"));\'>') | |
374 self.assertEquals(u'<div/>', unicode(html | sanitizer)) | |
820
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
375 html = HTML('<DIV STYLE=\'width: e/**/xpression(alert("foo"));\'>') |
1837f39efd6f
Sync (old) experimental inline branch with trunk@1027.
cmlenz
parents:
500
diff
changeset
|
376 self.assertEquals(u'<div/>', unicode(html | sanitizer)) |
500 | 377 html = HTML('<DIV STYLE=\'background: url(javascript:alert("foo"));' |
378 'color: #fff\'>') | |
379 self.assertEquals(u'<div style="color: #fff"/>', | |
380 unicode(html | sanitizer)) | |
381 # Inline style with url() using javascript: scheme, using unicode | |
382 # escapes | |
383 html = HTML('<DIV STYLE=\'background: \\75rl(javascript:alert("foo"))\'>') | |
384 self.assertEquals(u'<div/>', unicode(html | sanitizer)) | |
385 html = HTML('<DIV STYLE=\'background: \\000075rl(javascript:alert("foo"))\'>') | |
386 self.assertEquals(u'<div/>', unicode(html | sanitizer)) | |
387 html = HTML('<DIV STYLE=\'background: \\75 rl(javascript:alert("foo"))\'>') | |
388 self.assertEquals(u'<div/>', unicode(html | sanitizer)) | |
389 html = HTML('<DIV STYLE=\'background: \\000075 rl(javascript:alert("foo"))\'>') | |
390 self.assertEquals(u'<div/>', unicode(html | sanitizer)) | |
391 html = HTML('<DIV STYLE=\'background: \\000075\r\nrl(javascript:alert("foo"))\'>') | |
392 self.assertEquals(u'<div/>', unicode(html | sanitizer)) | |
393 | |
394 def test_sanitize_remove_src_javascript(self): | |
395 html = HTML('<img src=\'javascript:alert("foo")\'>') | |
396 self.assertEquals(u'<img/>', unicode(html | HTMLSanitizer())) | |
397 # Case-insensitive protocol matching | |
398 html = HTML('<IMG SRC=\'JaVaScRiPt:alert("foo")\'>') | |
399 self.assertEquals(u'<img/>', unicode(html | HTMLSanitizer())) | |
400 # Grave accents (not parsed) | |
401 self.assertRaises(ParseError, HTML, | |
402 '<IMG SRC=`javascript:alert("RSnake says, \'foo\'")`>') | |
403 # Protocol encoded using UTF-8 numeric entities | |
404 html = HTML('<IMG SRC=\'javascri' | |
405 'pt:alert("foo")\'>') | |
406 self.assertEquals(u'<img/>', unicode(html | HTMLSanitizer())) | |
407 # Protocol encoded using UTF-8 numeric entities without a semicolon | |
408 # (which is allowed because the max number of digits is used) | |
409 html = HTML('<IMG SRC=\'java' | |
410 'script' | |
411 ':alert("foo")\'>') | |
412 self.assertEquals(u'<img/>', unicode(html | HTMLSanitizer())) | |
413 # Protocol encoded using UTF-8 numeric hex entities without a semicolon | |
414 # (which is allowed because the max number of digits is used) | |
415 html = HTML('<IMG SRC=\'javascri' | |
416 'pt:alert("foo")\'>') | |
417 self.assertEquals(u'<img/>', unicode(html | HTMLSanitizer())) | |
418 # Embedded tab character in protocol | |
419 html = HTML('<IMG SRC=\'jav\tascript:alert("foo");\'>') | |
420 self.assertEquals(u'<img/>', unicode(html | HTMLSanitizer())) | |
421 # Embedded tab character in protocol, but encoded this time | |
422 html = HTML('<IMG SRC=\'jav	ascript:alert("foo");\'>') | |
423 self.assertEquals(u'<img/>', unicode(html | HTMLSanitizer())) | |
424 | |
425 | |
426 def suite(): | |
427 suite = unittest.TestSuite() | |
428 suite.addTest(doctest.DocTestSuite(HTMLFormFiller.__module__)) | |
429 suite.addTest(unittest.makeSuite(HTMLFormFillerTestCase, 'test')) | |
430 suite.addTest(unittest.makeSuite(HTMLSanitizerTestCase, 'test')) | |
431 return suite | |
432 | |
433 if __name__ == '__main__': | |
434 unittest.main(defaultTest='suite') |