Mercurial > genshi > genshi-test
comparison markup/tests/core.py @ 113:e815c2c07572
Removed the `sanitize()` method from the `Markup` class, and migrate the existing unit tests to `markup.tests.filters`. Provide a `Stream.filter()` method instead which can be used to conveniently apply a filter to a stream.
author | cmlenz |
---|---|
date | Mon, 31 Jul 2006 23:00:06 +0000 |
parents | e82d1bb07464 |
children | 88ac4c680120 |
comparison
equal
deleted
inserted
replaced
112:a834a6669681 | 113:e815c2c07572 |
---|---|
89 def test_striptags_mid(self): | 89 def test_striptags_mid(self): |
90 markup = Markup('<a href="#">fo<br />o</a>').striptags() | 90 markup = Markup('<a href="#">fo<br />o</a>').striptags() |
91 assert isinstance(markup, Markup) | 91 assert isinstance(markup, Markup) |
92 self.assertEquals('foo', markup) | 92 self.assertEquals('foo', markup) |
93 | 93 |
94 def test_sanitize_unchanged(self): | |
95 markup = Markup('<a href="#">fo<br />o</a>') | |
96 self.assertEquals('<a href="#">fo<br/>o</a>', str(markup.sanitize())) | |
97 | |
98 def test_sanitize_escape_text(self): | |
99 markup = Markup('<a href="#">fo&</a>') | |
100 self.assertEquals('<a href="#">fo&</a>', str(markup.sanitize())) | |
101 markup = Markup('<a href="#"><foo></a>') | |
102 self.assertEquals('<a href="#"><foo></a>', str(markup.sanitize())) | |
103 | |
104 def test_sanitize_entityref_text(self): | |
105 markup = Markup('<a href="#">foö</a>') | |
106 self.assertEquals(u'<a href="#">foƶ</a>', unicode(markup.sanitize())) | |
107 | |
108 def test_sanitize_escape_attr(self): | |
109 markup = Markup('<div title="<foo>"></div>') | |
110 self.assertEquals('<div title="<foo>"/>', str(markup.sanitize())) | |
111 | |
112 def test_sanitize_close_empty_tag(self): | |
113 markup = Markup('<a href="#">fo<br>o</a>') | |
114 self.assertEquals('<a href="#">fo<br/>o</a>', str(markup.sanitize())) | |
115 | |
116 def test_sanitize_invalid_entity(self): | |
117 markup = Markup('&junk;') | |
118 self.assertEquals('&junk;', str(markup.sanitize())) | |
119 | |
120 def test_sanitize_remove_script_elem(self): | |
121 markup = Markup('<script>alert("Foo")</script>') | |
122 self.assertEquals('', str(markup.sanitize())) | |
123 markup = Markup('<SCRIPT SRC="http://example.com/"></SCRIPT>') | |
124 self.assertEquals('', str(markup.sanitize())) | |
125 markup = Markup('<SCR\0IPT>alert("foo")</SCR\0IPT>') | |
126 self.assertRaises(ParseError, markup.sanitize) | |
127 markup = Markup('<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>') | |
128 self.assertRaises(ParseError, markup.sanitize) | |
129 | |
130 def test_sanitize_remove_onclick_attr(self): | |
131 markup = Markup('<div onclick=\'alert("foo")\' />') | |
132 self.assertEquals('<div/>', str(markup.sanitize())) | |
133 | |
134 def test_sanitize_remove_style_scripts(self): | |
135 # Inline style with url() using javascript: scheme | |
136 markup = Markup('<DIV STYLE=\'background: url(javascript:alert("foo"))\'>') | |
137 self.assertEquals('<div/>', str(markup.sanitize())) | |
138 # Inline style with url() using javascript: scheme, using control char | |
139 markup = Markup('<DIV STYLE=\'background: url(javascript:alert("foo"))\'>') | |
140 self.assertEquals('<div/>', str(markup.sanitize())) | |
141 # Inline style with url() using javascript: scheme, in quotes | |
142 markup = Markup('<DIV STYLE=\'background: url("javascript:alert(foo)")\'>') | |
143 self.assertEquals('<div/>', str(markup.sanitize())) | |
144 # IE expressions in CSS not allowed | |
145 markup = Markup('<DIV STYLE=\'width: expression(alert("foo"));\'>') | |
146 self.assertEquals('<div/>', str(markup.sanitize())) | |
147 markup = Markup('<DIV STYLE=\'background: url(javascript:alert("foo"));' | |
148 'color: #fff\'>') | |
149 self.assertEquals('<div style="color: #fff"/>', str(markup.sanitize())) | |
150 | |
151 def test_sanitize_remove_src_javascript(self): | |
152 markup = Markup('<img src=\'javascript:alert("foo")\'>') | |
153 self.assertEquals('<img/>', str(markup.sanitize())) | |
154 # Case-insensitive protocol matching | |
155 markup = Markup('<IMG SRC=\'JaVaScRiPt:alert("foo")\'>') | |
156 self.assertEquals('<img/>', str(markup.sanitize())) | |
157 # Grave accents (not parsed) | |
158 markup = Markup('<IMG SRC=`javascript:alert("RSnake says, \'foo\'")`>') | |
159 self.assertRaises(ParseError, markup.sanitize) | |
160 # Protocol encoded using UTF-8 numeric entities | |
161 markup = Markup('<IMG SRC=\'javascri' | |
162 'pt:alert("foo")\'>') | |
163 self.assertEquals('<img/>', str(markup.sanitize())) | |
164 # Protocol encoded using UTF-8 numeric entities without a semicolon | |
165 # (which is allowed because the max number of digits is used) | |
166 markup = Markup('<IMG SRC=\'java' | |
167 'script' | |
168 ':alert("foo")\'>') | |
169 self.assertEquals('<img/>', str(markup.sanitize())) | |
170 # Protocol encoded using UTF-8 numeric hex entities without a semicolon | |
171 # (which is allowed because the max number of digits is used) | |
172 markup = Markup('<IMG SRC=\'javascri' | |
173 'pt:alert("foo")\'>') | |
174 self.assertEquals('<img/>', str(markup.sanitize())) | |
175 # Embedded tab character in protocol | |
176 markup = Markup('<IMG SRC=\'jav\tascript:alert("foo");\'>') | |
177 self.assertEquals('<img/>', str(markup.sanitize())) | |
178 # Embedded tab character in protocol, but encoded this time | |
179 markup = Markup('<IMG SRC=\'jav	ascript:alert("foo");\'>') | |
180 self.assertEquals('<img/>', str(markup.sanitize())) | |
181 | |
182 | 94 |
183 def suite(): | 95 def suite(): |
184 suite = unittest.TestSuite() | 96 suite = unittest.TestSuite() |
185 suite.addTest(unittest.makeSuite(MarkupTestCase, 'test')) | 97 suite.addTest(unittest.makeSuite(MarkupTestCase, 'test')) |
186 suite.addTest(doctest.DocTestSuite(Markup.__module__)) | 98 suite.addTest(doctest.DocTestSuite(Markup.__module__)) |