Mercurial > genshi > mirror
annotate genshi/filters/tests/test_html.py @ 1016:38565f2ab970 trunk
Fix handling of case where a translation has text after a closing tag (fixes #566, thanks to jomae for the patch).
author | hodgestar |
---|---|
date | Thu, 09 Jan 2014 21:23:41 +0000 |
parents | 99d4c481e4eb |
children | 6c1d10d2fc52 |
rev | line source |
---|---|
933 | 1 # -*- coding: utf-8 -*- |
2 # | |
3 # Copyright (C) 2006-2009 Edgewall Software | |
4 # All rights reserved. | |
5 # | |
6 # This software is licensed as described in the file COPYING, which | |
7 # you should have received as part of this distribution. The terms | |
8 # are also available at http://genshi.edgewall.org/wiki/License. | |
9 # | |
10 # This software consists of voluntary contributions made by many | |
11 # individuals. For the exact contribution history, see the revision | |
12 # history and logs, available at http://genshi.edgewall.org/log/. | |
13 | |
14 import doctest | |
15 import unittest | |
16 | |
17 from genshi.input import HTML, ParseError | |
18 from genshi.filters.html import HTMLFormFiller, HTMLSanitizer | |
19 from genshi.template import MarkupTemplate | |
20 | |
21 class HTMLFormFillerTestCase(unittest.TestCase): | |
22 | |
23 def test_fill_input_text_no_value(self): | |
24 html = HTML(u"""<form><p> | |
25 <input type="text" name="foo" /> | |
26 </p></form>""") | HTMLFormFiller() | |
27 self.assertEquals("""<form><p> | |
28 <input type="text" name="foo"/> | |
29 </p></form>""", html.render()) | |
30 | |
31 def test_fill_input_text_single_value(self): | |
32 html = HTML(u"""<form><p> | |
33 <input type="text" name="foo" /> | |
34 </p></form>""") | HTMLFormFiller(data={'foo': 'bar'}) | |
35 self.assertEquals("""<form><p> | |
36 <input type="text" name="foo" value="bar"/> | |
37 </p></form>""", html.render()) | |
38 | |
39 def test_fill_input_text_multi_value(self): | |
40 html = HTML(u"""<form><p> | |
41 <input type="text" name="foo" /> | |
42 </p></form>""") | HTMLFormFiller(data={'foo': ['bar']}) | |
43 self.assertEquals("""<form><p> | |
44 <input type="text" name="foo" value="bar"/> | |
45 </p></form>""", html.render()) | |
46 | |
47 def test_fill_input_hidden_no_value(self): | |
48 html = HTML(u"""<form><p> | |
49 <input type="hidden" name="foo" /> | |
50 </p></form>""") | HTMLFormFiller() | |
51 self.assertEquals("""<form><p> | |
52 <input type="hidden" name="foo"/> | |
53 </p></form>""", html.render()) | |
54 | |
55 def test_fill_input_hidden_single_value(self): | |
56 html = HTML(u"""<form><p> | |
57 <input type="hidden" name="foo" /> | |
58 </p></form>""") | HTMLFormFiller(data={'foo': 'bar'}) | |
59 self.assertEquals("""<form><p> | |
60 <input type="hidden" name="foo" value="bar"/> | |
61 </p></form>""", html.render()) | |
62 | |
63 def test_fill_input_hidden_multi_value(self): | |
64 html = HTML(u"""<form><p> | |
65 <input type="hidden" name="foo" /> | |
66 </p></form>""") | HTMLFormFiller(data={'foo': ['bar']}) | |
67 self.assertEquals("""<form><p> | |
68 <input type="hidden" name="foo" value="bar"/> | |
69 </p></form>""", html.render()) | |
70 | |
71 def test_fill_textarea_no_value(self): | |
72 html = HTML(u"""<form><p> | |
73 <textarea name="foo"></textarea> | |
74 </p></form>""") | HTMLFormFiller() | |
75 self.assertEquals("""<form><p> | |
76 <textarea name="foo"/> | |
77 </p></form>""", html.render()) | |
78 | |
79 def test_fill_textarea_single_value(self): | |
80 html = HTML(u"""<form><p> | |
81 <textarea name="foo"></textarea> | |
82 </p></form>""") | HTMLFormFiller(data={'foo': 'bar'}) | |
83 self.assertEquals("""<form><p> | |
84 <textarea name="foo">bar</textarea> | |
85 </p></form>""", html.render()) | |
86 | |
87 def test_fill_textarea_multi_value(self): | |
88 html = HTML(u"""<form><p> | |
89 <textarea name="foo"></textarea> | |
90 </p></form>""") | HTMLFormFiller(data={'foo': ['bar']}) | |
91 self.assertEquals("""<form><p> | |
92 <textarea name="foo">bar</textarea> | |
93 </p></form>""", html.render()) | |
94 | |
95 def test_fill_textarea_multiple(self): | |
96 # Ensure that the subsequent textarea doesn't get the data from the | |
97 # first | |
98 html = HTML(u"""<form><p> | |
99 <textarea name="foo"></textarea> | |
100 <textarea name="bar"></textarea> | |
101 </p></form>""") | HTMLFormFiller(data={'foo': 'Some text'}) | |
102 self.assertEquals("""<form><p> | |
103 <textarea name="foo">Some text</textarea> | |
104 <textarea name="bar"/> | |
105 </p></form>""", html.render()) | |
106 | |
107 def test_fill_textarea_preserve_original(self): | |
108 html = HTML(u"""<form><p> | |
109 <textarea name="foo"></textarea> | |
110 <textarea name="bar">Original value</textarea> | |
111 </p></form>""") | HTMLFormFiller(data={'foo': 'Some text'}) | |
112 self.assertEquals("""<form><p> | |
113 <textarea name="foo">Some text</textarea> | |
114 <textarea name="bar">Original value</textarea> | |
115 </p></form>""", html.render()) | |
116 | |
117 def test_fill_input_checkbox_single_value_auto_no_value(self): | |
118 html = HTML(u"""<form><p> | |
119 <input type="checkbox" name="foo" /> | |
120 </p></form>""") | HTMLFormFiller() | |
121 self.assertEquals("""<form><p> | |
122 <input type="checkbox" name="foo"/> | |
123 </p></form>""", html.render()) | |
124 | |
125 def test_fill_input_checkbox_single_value_auto(self): | |
126 html = HTML(u"""<form><p> | |
127 <input type="checkbox" name="foo" /> | |
128 </p></form>""") | |
129 self.assertEquals("""<form><p> | |
130 <input type="checkbox" name="foo"/> | |
131 </p></form>""", (html | HTMLFormFiller(data={'foo': ''})).render()) | |
132 self.assertEquals("""<form><p> | |
133 <input type="checkbox" name="foo" checked="checked"/> | |
134 </p></form>""", (html | HTMLFormFiller(data={'foo': 'on'})).render()) | |
135 | |
136 def test_fill_input_checkbox_single_value_defined(self): | |
137 html = HTML("""<form><p> | |
138 <input type="checkbox" name="foo" value="1" /> | |
139 </p></form>""", encoding='ascii') | |
140 self.assertEquals("""<form><p> | |
141 <input type="checkbox" name="foo" value="1" checked="checked"/> | |
142 </p></form>""", (html | HTMLFormFiller(data={'foo': '1'})).render()) | |
143 self.assertEquals("""<form><p> | |
144 <input type="checkbox" name="foo" value="1"/> | |
145 </p></form>""", (html | HTMLFormFiller(data={'foo': '2'})).render()) | |
146 | |
147 def test_fill_input_checkbox_multi_value_auto(self): | |
148 html = HTML("""<form><p> | |
149 <input type="checkbox" name="foo" /> | |
150 </p></form>""", encoding='ascii') | |
151 self.assertEquals("""<form><p> | |
152 <input type="checkbox" name="foo"/> | |
153 </p></form>""", (html | HTMLFormFiller(data={'foo': []})).render()) | |
154 self.assertEquals("""<form><p> | |
155 <input type="checkbox" name="foo" checked="checked"/> | |
156 </p></form>""", (html | HTMLFormFiller(data={'foo': ['on']})).render()) | |
157 | |
158 def test_fill_input_checkbox_multi_value_defined(self): | |
159 html = HTML(u"""<form><p> | |
160 <input type="checkbox" name="foo" value="1" /> | |
161 </p></form>""") | |
162 self.assertEquals("""<form><p> | |
163 <input type="checkbox" name="foo" value="1" checked="checked"/> | |
164 </p></form>""", (html | HTMLFormFiller(data={'foo': ['1']})).render()) | |
165 self.assertEquals("""<form><p> | |
166 <input type="checkbox" name="foo" value="1"/> | |
167 </p></form>""", (html | HTMLFormFiller(data={'foo': ['2']})).render()) | |
168 | |
169 def test_fill_input_radio_no_value(self): | |
170 html = HTML(u"""<form><p> | |
171 <input type="radio" name="foo" /> | |
172 </p></form>""") | HTMLFormFiller() | |
173 self.assertEquals("""<form><p> | |
174 <input type="radio" name="foo"/> | |
175 </p></form>""", html.render()) | |
176 | |
177 def test_fill_input_radio_single_value(self): | |
178 html = HTML(u"""<form><p> | |
179 <input type="radio" name="foo" value="1" /> | |
180 </p></form>""") | |
181 self.assertEquals("""<form><p> | |
182 <input type="radio" name="foo" value="1" checked="checked"/> | |
183 </p></form>""", (html | HTMLFormFiller(data={'foo': '1'})).render()) | |
184 self.assertEquals("""<form><p> | |
185 <input type="radio" name="foo" value="1"/> | |
186 </p></form>""", (html | HTMLFormFiller(data={'foo': '2'})).render()) | |
187 | |
188 def test_fill_input_radio_multi_value(self): | |
189 html = HTML(u"""<form><p> | |
190 <input type="radio" name="foo" value="1" /> | |
191 </p></form>""") | |
192 self.assertEquals("""<form><p> | |
193 <input type="radio" name="foo" value="1" checked="checked"/> | |
194 </p></form>""", (html | HTMLFormFiller(data={'foo': ['1']})).render()) | |
195 self.assertEquals("""<form><p> | |
196 <input type="radio" name="foo" value="1"/> | |
197 </p></form>""", (html | HTMLFormFiller(data={'foo': ['2']})).render()) | |
198 | |
199 def test_fill_input_radio_empty_string(self): | |
200 html = HTML(u"""<form><p> | |
201 <input type="radio" name="foo" value="" /> | |
202 </p></form>""") | |
203 self.assertEquals("""<form><p> | |
204 <input type="radio" name="foo" value="" checked="checked"/> | |
205 </p></form>""", (html | HTMLFormFiller(data={'foo': ''})).render()) | |
206 | |
207 def test_fill_input_radio_multi_empty_string(self): | |
208 html = HTML(u"""<form><p> | |
209 <input type="radio" name="foo" value="" /> | |
210 </p></form>""") | |
211 self.assertEquals("""<form><p> | |
212 <input type="radio" name="foo" value="" checked="checked"/> | |
213 </p></form>""", (html | HTMLFormFiller(data={'foo': ['']})).render()) | |
214 | |
215 def test_fill_select_no_value_auto(self): | |
216 html = HTML(u"""<form><p> | |
217 <select name="foo"> | |
218 <option>1</option> | |
219 <option>2</option> | |
220 <option>3</option> | |
221 </select> | |
222 </p></form>""") | HTMLFormFiller() | |
223 self.assertEquals("""<form><p> | |
224 <select name="foo"> | |
225 <option>1</option> | |
226 <option>2</option> | |
227 <option>3</option> | |
228 </select> | |
229 </p></form>""", html.render()) | |
230 | |
231 def test_fill_select_no_value_defined(self): | |
232 html = HTML(u"""<form><p> | |
233 <select name="foo"> | |
234 <option value="1">1</option> | |
235 <option value="2">2</option> | |
236 <option value="3">3</option> | |
237 </select> | |
238 </p></form>""") | HTMLFormFiller() | |
239 self.assertEquals("""<form><p> | |
240 <select name="foo"> | |
241 <option value="1">1</option> | |
242 <option value="2">2</option> | |
243 <option value="3">3</option> | |
244 </select> | |
245 </p></form>""", html.render()) | |
246 | |
247 def test_fill_select_single_value_auto(self): | |
248 html = HTML(u"""<form><p> | |
249 <select name="foo"> | |
250 <option>1</option> | |
251 <option>2</option> | |
252 <option>3</option> | |
253 </select> | |
254 </p></form>""") | HTMLFormFiller(data={'foo': '1'}) | |
255 self.assertEquals("""<form><p> | |
256 <select name="foo"> | |
257 <option selected="selected">1</option> | |
258 <option>2</option> | |
259 <option>3</option> | |
260 </select> | |
261 </p></form>""", html.render()) | |
262 | |
263 def test_fill_select_single_value_defined(self): | |
264 html = HTML(u"""<form><p> | |
265 <select name="foo"> | |
266 <option value="1">1</option> | |
267 <option value="2">2</option> | |
268 <option value="3">3</option> | |
269 </select> | |
270 </p></form>""") | HTMLFormFiller(data={'foo': '1'}) | |
271 self.assertEquals("""<form><p> | |
272 <select name="foo"> | |
273 <option value="1" selected="selected">1</option> | |
274 <option value="2">2</option> | |
275 <option value="3">3</option> | |
276 </select> | |
277 </p></form>""", html.render()) | |
278 | |
279 def test_fill_select_multi_value_auto(self): | |
280 html = HTML(u"""<form><p> | |
281 <select name="foo" multiple> | |
282 <option>1</option> | |
283 <option>2</option> | |
284 <option>3</option> | |
285 </select> | |
286 </p></form>""") | HTMLFormFiller(data={'foo': ['1', '3']}) | |
287 self.assertEquals("""<form><p> | |
288 <select name="foo" multiple="multiple"> | |
289 <option selected="selected">1</option> | |
290 <option>2</option> | |
291 <option selected="selected">3</option> | |
292 </select> | |
293 </p></form>""", html.render()) | |
294 | |
295 def test_fill_select_multi_value_defined(self): | |
296 html = HTML(u"""<form><p> | |
297 <select name="foo" multiple> | |
298 <option value="1">1</option> | |
299 <option value="2">2</option> | |
300 <option value="3">3</option> | |
301 </select> | |
302 </p></form>""") | HTMLFormFiller(data={'foo': ['1', '3']}) | |
303 self.assertEquals("""<form><p> | |
304 <select name="foo" multiple="multiple"> | |
305 <option value="1" selected="selected">1</option> | |
306 <option value="2">2</option> | |
307 <option value="3" selected="selected">3</option> | |
308 </select> | |
309 </p></form>""", html.render()) | |
310 | |
311 def test_fill_option_segmented_text(self): | |
312 html = MarkupTemplate(u"""<form> | |
313 <select name="foo"> | |
314 <option value="1">foo $x</option> | |
315 </select> | |
316 </form>""").generate(x=1) | HTMLFormFiller(data={'foo': '1'}) | |
317 self.assertEquals(u"""<form> | |
318 <select name="foo"> | |
319 <option value="1" selected="selected">foo 1</option> | |
320 </select> | |
321 </form>""", html.render()) | |
322 | |
323 def test_fill_option_segmented_text_no_value(self): | |
324 html = MarkupTemplate("""<form> | |
325 <select name="foo"> | |
326 <option>foo $x bar</option> | |
327 </select> | |
328 </form>""").generate(x=1) | HTMLFormFiller(data={'foo': 'foo 1 bar'}) | |
329 self.assertEquals("""<form> | |
330 <select name="foo"> | |
331 <option selected="selected">foo 1 bar</option> | |
332 </select> | |
333 </form>""", html.render()) | |
334 | |
335 def test_fill_option_unicode_value(self): | |
336 html = HTML(u"""<form> | |
337 <select name="foo"> | |
338 <option value="ö">foo</option> | |
339 </select> | |
340 </form>""") | HTMLFormFiller(data={'foo': u'ö'}) | |
341 self.assertEquals(u"""<form> | |
342 <select name="foo"> | |
343 <option value="ö" selected="selected">foo</option> | |
344 </select> | |
345 </form>""", html.render(encoding=None)) | |
346 | |
347 def test_fill_input_password_disabled(self): | |
348 html = HTML(u"""<form><p> | |
349 <input type="password" name="pass" /> | |
350 </p></form>""") | HTMLFormFiller(data={'pass': 'bar'}) | |
351 self.assertEquals("""<form><p> | |
352 <input type="password" name="pass"/> | |
353 </p></form>""", html.render()) | |
354 | |
355 def test_fill_input_password_enabled(self): | |
356 html = HTML(u"""<form><p> | |
357 <input type="password" name="pass" /> | |
358 </p></form>""") | HTMLFormFiller(data={'pass': '1234'}, passwords=True) | |
359 self.assertEquals("""<form><p> | |
360 <input type="password" name="pass" value="1234"/> | |
361 </p></form>""", html.render()) | |
362 | |
363 | |
949
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
364 def StyleSanitizer(): |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
365 safe_attrs = HTMLSanitizer.SAFE_ATTRS | frozenset(['style']) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
366 return HTMLSanitizer(safe_attrs=safe_attrs) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
367 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
368 |
933 | 369 class HTMLSanitizerTestCase(unittest.TestCase): |
370 | |
963
99d4c481e4eb
Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents:
949
diff
changeset
|
371 def assert_parse_error_or_equal(self, expected, exploit): |
99d4c481e4eb
Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents:
949
diff
changeset
|
372 try: |
99d4c481e4eb
Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents:
949
diff
changeset
|
373 html = HTML(exploit) |
99d4c481e4eb
Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents:
949
diff
changeset
|
374 except ParseError: |
99d4c481e4eb
Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents:
949
diff
changeset
|
375 return |
99d4c481e4eb
Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents:
949
diff
changeset
|
376 self.assertEquals(expected, (html | HTMLSanitizer()).render()) |
99d4c481e4eb
Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents:
949
diff
changeset
|
377 |
933 | 378 def test_sanitize_unchanged(self): |
379 html = HTML(u'<a href="#">fo<br />o</a>') | |
380 self.assertEquals('<a href="#">fo<br/>o</a>', | |
381 (html | HTMLSanitizer()).render()) | |
382 html = HTML(u'<a href="#with:colon">foo</a>') | |
383 self.assertEquals('<a href="#with:colon">foo</a>', | |
384 (html | HTMLSanitizer()).render()) | |
385 | |
386 def test_sanitize_escape_text(self): | |
387 html = HTML(u'<a href="#">fo&</a>') | |
388 self.assertEquals('<a href="#">fo&</a>', | |
389 (html | HTMLSanitizer()).render()) | |
390 html = HTML(u'<a href="#"><foo></a>') | |
391 self.assertEquals('<a href="#"><foo></a>', | |
392 (html | HTMLSanitizer()).render()) | |
393 | |
394 def test_sanitize_entityref_text(self): | |
395 html = HTML(u'<a href="#">foö</a>') | |
396 self.assertEquals(u'<a href="#">foö</a>', | |
397 (html | HTMLSanitizer()).render(encoding=None)) | |
398 | |
399 def test_sanitize_escape_attr(self): | |
400 html = HTML(u'<div title="<foo>"></div>') | |
401 self.assertEquals('<div title="<foo>"/>', | |
402 (html | HTMLSanitizer()).render()) | |
403 | |
404 def test_sanitize_close_empty_tag(self): | |
405 html = HTML(u'<a href="#">fo<br>o</a>') | |
406 self.assertEquals('<a href="#">fo<br/>o</a>', | |
407 (html | HTMLSanitizer()).render()) | |
408 | |
409 def test_sanitize_invalid_entity(self): | |
410 html = HTML(u'&junk;') | |
411 self.assertEquals('&junk;', (html | HTMLSanitizer()).render()) | |
412 | |
413 def test_sanitize_remove_script_elem(self): | |
414 html = HTML(u'<script>alert("Foo")</script>') | |
415 self.assertEquals('', (html | HTMLSanitizer()).render()) | |
416 html = HTML(u'<SCRIPT SRC="http://example.com/"></SCRIPT>') | |
417 self.assertEquals('', (html | HTMLSanitizer()).render()) | |
963
99d4c481e4eb
Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents:
949
diff
changeset
|
418 src = u'<SCR\0IPT>alert("foo")</SCR\0IPT>' |
99d4c481e4eb
Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents:
949
diff
changeset
|
419 self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src) |
99d4c481e4eb
Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents:
949
diff
changeset
|
420 src = u'<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>' |
99d4c481e4eb
Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents:
949
diff
changeset
|
421 self.assert_parse_error_or_equal('<SCRIPT&XYZ; ' |
99d4c481e4eb
Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents:
949
diff
changeset
|
422 'SRC="http://example.com/">', src) |
933 | 423 |
424 def test_sanitize_remove_onclick_attr(self): | |
425 html = HTML(u'<div onclick=\'alert("foo")\' />') | |
426 self.assertEquals('<div/>', (html | HTMLSanitizer()).render()) | |
427 | |
428 def test_sanitize_remove_input_password(self): | |
429 html = HTML(u'<form><input type="password" /></form>') | |
430 self.assertEquals('<form/>', (html | HTMLSanitizer()).render()) | |
431 | |
432 def test_sanitize_remove_comments(self): | |
433 html = HTML(u'''<div><!-- conditional comment crap --></div>''') | |
434 self.assertEquals('<div/>', (html | HTMLSanitizer()).render()) | |
435 | |
436 def test_sanitize_remove_style_scripts(self): | |
949
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
437 sanitizer = StyleSanitizer() |
933 | 438 # Inline style with url() using javascript: scheme |
439 html = HTML(u'<DIV STYLE=\'background: url(javascript:alert("foo"))\'>') | |
440 self.assertEquals('<div/>', (html | sanitizer).render()) | |
441 # Inline style with url() using javascript: scheme, using control char | |
442 html = HTML(u'<DIV STYLE=\'background: url(javascript:alert("foo"))\'>') | |
443 self.assertEquals('<div/>', (html | sanitizer).render()) | |
444 # Inline style with url() using javascript: scheme, in quotes | |
445 html = HTML(u'<DIV STYLE=\'background: url("javascript:alert(foo)")\'>') | |
446 self.assertEquals('<div/>', (html | sanitizer).render()) | |
447 # IE expressions in CSS not allowed | |
448 html = HTML(u'<DIV STYLE=\'width: expression(alert("foo"));\'>') | |
449 self.assertEquals('<div/>', (html | sanitizer).render()) | |
450 html = HTML(u'<DIV STYLE=\'width: e/**/xpression(alert("foo"));\'>') | |
451 self.assertEquals('<div/>', (html | sanitizer).render()) | |
452 html = HTML(u'<DIV STYLE=\'background: url(javascript:alert("foo"));' | |
453 'color: #fff\'>') | |
454 self.assertEquals('<div style="color: #fff"/>', | |
455 (html | sanitizer).render()) | |
456 # Inline style with url() using javascript: scheme, using unicode | |
457 # escapes | |
458 html = HTML(u'<DIV STYLE=\'background: \\75rl(javascript:alert("foo"))\'>') | |
459 self.assertEquals('<div/>', (html | sanitizer).render()) | |
460 html = HTML(u'<DIV STYLE=\'background: \\000075rl(javascript:alert("foo"))\'>') | |
461 self.assertEquals('<div/>', (html | sanitizer).render()) | |
462 html = HTML(u'<DIV STYLE=\'background: \\75 rl(javascript:alert("foo"))\'>') | |
463 self.assertEquals('<div/>', (html | sanitizer).render()) | |
464 html = HTML(u'<DIV STYLE=\'background: \\000075 rl(javascript:alert("foo"))\'>') | |
465 self.assertEquals('<div/>', (html | sanitizer).render()) | |
466 html = HTML(u'<DIV STYLE=\'background: \\000075\r\nrl(javascript:alert("foo"))\'>') | |
467 self.assertEquals('<div/>', (html | sanitizer).render()) | |
468 | |
469 def test_sanitize_remove_style_phishing(self): | |
949
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
470 sanitizer = StyleSanitizer() |
933 | 471 # The position property is not allowed |
472 html = HTML(u'<div style="position:absolute;top:0"></div>') | |
473 self.assertEquals('<div style="top:0"/>', (html | sanitizer).render()) | |
474 # Normal margins get passed through | |
475 html = HTML(u'<div style="margin:10px 20px"></div>') | |
476 self.assertEquals('<div style="margin:10px 20px"/>', | |
477 (html | sanitizer).render()) | |
478 # But not negative margins | |
479 html = HTML(u'<div style="margin:-1000px 0 0"></div>') | |
480 self.assertEquals('<div/>', (html | sanitizer).render()) | |
481 html = HTML(u'<div style="margin-left:-2000px 0 0"></div>') | |
482 self.assertEquals('<div/>', (html | sanitizer).render()) | |
483 html = HTML(u'<div style="margin-left:1em 1em 1em -4000px"></div>') | |
484 self.assertEquals('<div/>', (html | sanitizer).render()) | |
485 | |
486 def test_sanitize_remove_src_javascript(self): | |
487 html = HTML(u'<img src=\'javascript:alert("foo")\'>') | |
488 self.assertEquals('<img/>', (html | HTMLSanitizer()).render()) | |
489 # Case-insensitive protocol matching | |
490 html = HTML(u'<IMG SRC=\'JaVaScRiPt:alert("foo")\'>') | |
491 self.assertEquals('<img/>', (html | HTMLSanitizer()).render()) | |
492 # Grave accents (not parsed) | |
963
99d4c481e4eb
Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents:
949
diff
changeset
|
493 src = u'<IMG SRC=`javascript:alert("RSnake says, \'foo\'")`>' |
99d4c481e4eb
Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents:
949
diff
changeset
|
494 self.assert_parse_error_or_equal('<img/>', src) |
933 | 495 # Protocol encoded using UTF-8 numeric entities |
496 html = HTML(u'<IMG SRC=\'javascri' | |
497 'pt:alert("foo")\'>') | |
498 self.assertEquals('<img/>', (html | HTMLSanitizer()).render()) | |
499 # Protocol encoded using UTF-8 numeric entities without a semicolon | |
500 # (which is allowed because the max number of digits is used) | |
501 html = HTML(u'<IMG SRC=\'java' | |
502 'script' | |
503 ':alert("foo")\'>') | |
504 self.assertEquals('<img/>', (html | HTMLSanitizer()).render()) | |
505 # Protocol encoded using UTF-8 numeric hex entities without a semicolon | |
506 # (which is allowed because the max number of digits is used) | |
507 html = HTML(u'<IMG SRC=\'javascri' | |
508 'pt:alert("foo")\'>') | |
509 self.assertEquals('<img/>', (html | HTMLSanitizer()).render()) | |
510 # Embedded tab character in protocol | |
511 html = HTML(u'<IMG SRC=\'jav\tascript:alert("foo");\'>') | |
512 self.assertEquals('<img/>', (html | HTMLSanitizer()).render()) | |
513 # Embedded tab character in protocol, but encoded this time | |
514 html = HTML(u'<IMG SRC=\'jav	ascript:alert("foo");\'>') | |
515 self.assertEquals('<img/>', (html | HTMLSanitizer()).render()) | |
516 | |
949
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
517 def test_sanitize_expression(self): |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
518 html = HTML(ur'<div style="top:expression(alert())">XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
519 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
520 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
521 def test_capital_expression(self): |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
522 html = HTML(ur'<div style="top:EXPRESSION(alert())">XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
523 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
524 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
525 def test_sanitize_url_with_javascript(self): |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
526 html = HTML(u'<div style="background-image:url(javascript:alert())">' |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
527 u'XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
528 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
529 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
530 def test_sanitize_capital_url_with_javascript(self): |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
531 html = HTML(u'<div style="background-image:URL(javascript:alert())">' |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
532 u'XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
533 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
534 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
535 def test_sanitize_unicode_escapes(self): |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
536 html = HTML(ur'<div style="top:exp\72 ess\000069 on(alert())">' |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
537 ur'XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
538 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
539 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
540 def test_sanitize_backslash_without_hex(self): |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
541 html = HTML(ur'<div style="top:e\xp\ression(alert())">XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
542 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
543 html = HTML(ur'<div style="top:e\\xp\\ression(alert())">XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
544 self.assertEqual(r'<div style="top:e\\xp\\ression(alert())">' |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
545 'XSS</div>', |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
546 unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
547 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
548 def test_sanitize_unsafe_props(self): |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
549 html = HTML(u'<div style="POSITION:RELATIVE">XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
550 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
551 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
552 html = HTML(u'<div style="behavior:url(test.htc)">XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
553 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
554 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
555 html = HTML(u'<div style="-ms-behavior:url(test.htc) url(#obj)">' |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
556 u'XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
557 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
558 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
559 html = HTML(u"""<div style="-o-link:'javascript:alert(1)';""" |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
560 u"""-o-link-source:current">XSS</div>""") |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
561 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
562 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
563 html = HTML(u"""<div style="-moz-binding:url(xss.xbl)">XSS</div>""") |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
564 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
565 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
566 def test_sanitize_negative_margin(self): |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
567 html = HTML(u'<div style="margin-top:-9999px">XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
568 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
569 html = HTML(u'<div style="margin:0 -9999px">XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
570 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
571 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
572 def test_sanitize_css_hack(self): |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
573 html = HTML(u'<div style="*position:static">XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
574 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
575 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
576 html = HTML(u'<div style="_margin:-10px">XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
577 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
578 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
579 def test_sanitize_property_name(self): |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
580 html = HTML(u'<div style="display:none;border-left-color:red;' |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
581 u'user_defined:1;-moz-user-selct:-moz-all">prop</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
582 self.assertEqual('<div style="display:none; border-left-color:red' |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
583 '">prop</div>', |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
584 unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
585 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
586 def test_sanitize_unicode_expression(self): |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
587 # Fullwidth small letters |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
588 html = HTML(u'<div style="top:expression(alert())">' |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
589 u'XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
590 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
591 # Fullwidth capital letters |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
592 html = HTML(u'<div style="top:EXPRESSION(alert())">' |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
593 u'XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
594 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
595 # IPA extensions |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
596 html = HTML(u'<div style="top:expʀessɪoɴ(alert())">' |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
597 u'XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
598 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
599 |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
600 def test_sanitize_unicode_url(self): |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
601 # IPA extensions |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
602 html = HTML(u'<div style="background-image:uʀʟ(javascript:alert())">' |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
603 u'XSS</div>') |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
604 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) |
8bc6f32fdd45
Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents:
933
diff
changeset
|
605 |
933 | 606 |
607 def suite(): | |
608 suite = unittest.TestSuite() | |
609 suite.addTest(doctest.DocTestSuite(HTMLFormFiller.__module__)) | |
610 suite.addTest(unittest.makeSuite(HTMLFormFillerTestCase, 'test')) | |
611 suite.addTest(unittest.makeSuite(HTMLSanitizerTestCase, 'test')) | |
612 return suite | |
613 | |
614 | |
615 if __name__ == '__main__': | |
616 unittest.main(defaultTest='suite') |