Mercurial > genshi > genshi-test
comparison markup/tests/core.py @ 113:e815c2c07572
Removed the `sanitize()` method from the `Markup` class, and migrate the existing unit tests to `markup.tests.filters`. Provide a `Stream.filter()` method instead which can be used to conveniently apply a filter to a stream.
| author | cmlenz |
|---|---|
| date | Mon, 31 Jul 2006 23:00:06 +0000 |
| parents | e82d1bb07464 |
| children | 88ac4c680120 |
comparison
equal
deleted
inserted
replaced
| 112:a834a6669681 | 113:e815c2c07572 |
|---|---|
| 89 def test_striptags_mid(self): | 89 def test_striptags_mid(self): |
| 90 markup = Markup('<a href="#">fo<br />o</a>').striptags() | 90 markup = Markup('<a href="#">fo<br />o</a>').striptags() |
| 91 assert isinstance(markup, Markup) | 91 assert isinstance(markup, Markup) |
| 92 self.assertEquals('foo', markup) | 92 self.assertEquals('foo', markup) |
| 93 | 93 |
| 94 def test_sanitize_unchanged(self): | |
| 95 markup = Markup('<a href="#">fo<br />o</a>') | |
| 96 self.assertEquals('<a href="#">fo<br/>o</a>', str(markup.sanitize())) | |
| 97 | |
| 98 def test_sanitize_escape_text(self): | |
| 99 markup = Markup('<a href="#">fo&</a>') | |
| 100 self.assertEquals('<a href="#">fo&</a>', str(markup.sanitize())) | |
| 101 markup = Markup('<a href="#"><foo></a>') | |
| 102 self.assertEquals('<a href="#"><foo></a>', str(markup.sanitize())) | |
| 103 | |
| 104 def test_sanitize_entityref_text(self): | |
| 105 markup = Markup('<a href="#">foö</a>') | |
| 106 self.assertEquals(u'<a href="#">foƶ</a>', unicode(markup.sanitize())) | |
| 107 | |
| 108 def test_sanitize_escape_attr(self): | |
| 109 markup = Markup('<div title="<foo>"></div>') | |
| 110 self.assertEquals('<div title="<foo>"/>', str(markup.sanitize())) | |
| 111 | |
| 112 def test_sanitize_close_empty_tag(self): | |
| 113 markup = Markup('<a href="#">fo<br>o</a>') | |
| 114 self.assertEquals('<a href="#">fo<br/>o</a>', str(markup.sanitize())) | |
| 115 | |
| 116 def test_sanitize_invalid_entity(self): | |
| 117 markup = Markup('&junk;') | |
| 118 self.assertEquals('&junk;', str(markup.sanitize())) | |
| 119 | |
| 120 def test_sanitize_remove_script_elem(self): | |
| 121 markup = Markup('<script>alert("Foo")</script>') | |
| 122 self.assertEquals('', str(markup.sanitize())) | |
| 123 markup = Markup('<SCRIPT SRC="http://example.com/"></SCRIPT>') | |
| 124 self.assertEquals('', str(markup.sanitize())) | |
| 125 markup = Markup('<SCR\0IPT>alert("foo")</SCR\0IPT>') | |
| 126 self.assertRaises(ParseError, markup.sanitize) | |
| 127 markup = Markup('<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>') | |
| 128 self.assertRaises(ParseError, markup.sanitize) | |
| 129 | |
| 130 def test_sanitize_remove_onclick_attr(self): | |
| 131 markup = Markup('<div onclick=\'alert("foo")\' />') | |
| 132 self.assertEquals('<div/>', str(markup.sanitize())) | |
| 133 | |
| 134 def test_sanitize_remove_style_scripts(self): | |
| 135 # Inline style with url() using javascript: scheme | |
| 136 markup = Markup('<DIV STYLE=\'background: url(javascript:alert("foo"))\'>') | |
| 137 self.assertEquals('<div/>', str(markup.sanitize())) | |
| 138 # Inline style with url() using javascript: scheme, using control char | |
| 139 markup = Markup('<DIV STYLE=\'background: url(javascript:alert("foo"))\'>') | |
| 140 self.assertEquals('<div/>', str(markup.sanitize())) | |
| 141 # Inline style with url() using javascript: scheme, in quotes | |
| 142 markup = Markup('<DIV STYLE=\'background: url("javascript:alert(foo)")\'>') | |
| 143 self.assertEquals('<div/>', str(markup.sanitize())) | |
| 144 # IE expressions in CSS not allowed | |
| 145 markup = Markup('<DIV STYLE=\'width: expression(alert("foo"));\'>') | |
| 146 self.assertEquals('<div/>', str(markup.sanitize())) | |
| 147 markup = Markup('<DIV STYLE=\'background: url(javascript:alert("foo"));' | |
| 148 'color: #fff\'>') | |
| 149 self.assertEquals('<div style="color: #fff"/>', str(markup.sanitize())) | |
| 150 | |
| 151 def test_sanitize_remove_src_javascript(self): | |
| 152 markup = Markup('<img src=\'javascript:alert("foo")\'>') | |
| 153 self.assertEquals('<img/>', str(markup.sanitize())) | |
| 154 # Case-insensitive protocol matching | |
| 155 markup = Markup('<IMG SRC=\'JaVaScRiPt:alert("foo")\'>') | |
| 156 self.assertEquals('<img/>', str(markup.sanitize())) | |
| 157 # Grave accents (not parsed) | |
| 158 markup = Markup('<IMG SRC=`javascript:alert("RSnake says, \'foo\'")`>') | |
| 159 self.assertRaises(ParseError, markup.sanitize) | |
| 160 # Protocol encoded using UTF-8 numeric entities | |
| 161 markup = Markup('<IMG SRC=\'javascri' | |
| 162 'pt:alert("foo")\'>') | |
| 163 self.assertEquals('<img/>', str(markup.sanitize())) | |
| 164 # Protocol encoded using UTF-8 numeric entities without a semicolon | |
| 165 # (which is allowed because the max number of digits is used) | |
| 166 markup = Markup('<IMG SRC=\'java' | |
| 167 'script' | |
| 168 ':alert("foo")\'>') | |
| 169 self.assertEquals('<img/>', str(markup.sanitize())) | |
| 170 # Protocol encoded using UTF-8 numeric hex entities without a semicolon | |
| 171 # (which is allowed because the max number of digits is used) | |
| 172 markup = Markup('<IMG SRC=\'javascri' | |
| 173 'pt:alert("foo")\'>') | |
| 174 self.assertEquals('<img/>', str(markup.sanitize())) | |
| 175 # Embedded tab character in protocol | |
| 176 markup = Markup('<IMG SRC=\'jav\tascript:alert("foo");\'>') | |
| 177 self.assertEquals('<img/>', str(markup.sanitize())) | |
| 178 # Embedded tab character in protocol, but encoded this time | |
| 179 markup = Markup('<IMG SRC=\'jav	ascript:alert("foo");\'>') | |
| 180 self.assertEquals('<img/>', str(markup.sanitize())) | |
| 181 | |
| 182 | 94 |
| 183 def suite(): | 95 def suite(): |
| 184 suite = unittest.TestSuite() | 96 suite = unittest.TestSuite() |
| 185 suite.addTest(unittest.makeSuite(MarkupTestCase, 'test')) | 97 suite.addTest(unittest.makeSuite(MarkupTestCase, 'test')) |
| 186 suite.addTest(doctest.DocTestSuite(Markup.__module__)) | 98 suite.addTest(doctest.DocTestSuite(Markup.__module__)) |