Mercurial > genshi > mirror

annotate genshi/filters/tests/test_html.py @ 1020:6c1d10d2fc52 trunk

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
author hodgestar
date Sun, 16 Feb 2014 18:25:17 +0000
parents 99d4c481e4eb
children
rev   line source
933
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
1 # -*- coding: utf-8 -*-
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
2 #
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
3 # Copyright (C) 2006-2009 Edgewall Software
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
4 # All rights reserved.
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
5 #
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
6 # This software is licensed as described in the file COPYING, which
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
7 # you should have received as part of this distribution. The terms
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
8 # are also available at http://genshi.edgewall.org/wiki/License.
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
9 #
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
10 # This software consists of voluntary contributions made by many
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
11 # individuals. For the exact contribution history, see the revision
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
12 # history and logs, available at http://genshi.edgewall.org/log/.
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
13
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
14 import doctest
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
15 import unittest
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
16
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
17 from genshi.input import HTML, ParseError
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
18 from genshi.filters.html import HTMLFormFiller, HTMLSanitizer
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
19 from genshi.template import MarkupTemplate
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
20
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
21 class HTMLFormFillerTestCase(unittest.TestCase):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
22
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
23 def test_fill_input_text_no_value(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
24 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
25 <input type="text" name="foo" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
26 </p></form>""") | HTMLFormFiller()
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
27 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
28 <input type="text" name="foo"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
29 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
30
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
31 def test_fill_input_text_single_value(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
32 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
33 <input type="text" name="foo" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
34 </p></form>""") | HTMLFormFiller(data={'foo': 'bar'})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
35 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
36 <input type="text" name="foo" value="bar"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
37 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
38
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
39 def test_fill_input_text_multi_value(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
40 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
41 <input type="text" name="foo" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
42 </p></form>""") | HTMLFormFiller(data={'foo': ['bar']})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
43 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
44 <input type="text" name="foo" value="bar"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
45 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
46
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
47 def test_fill_input_hidden_no_value(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
48 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
49 <input type="hidden" name="foo" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
50 </p></form>""") | HTMLFormFiller()
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
51 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
52 <input type="hidden" name="foo"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
53 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
54
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
55 def test_fill_input_hidden_single_value(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
56 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
57 <input type="hidden" name="foo" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
58 </p></form>""") | HTMLFormFiller(data={'foo': 'bar'})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
59 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
60 <input type="hidden" name="foo" value="bar"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
61 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
62
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
63 def test_fill_input_hidden_multi_value(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
64 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
65 <input type="hidden" name="foo" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
66 </p></form>""") | HTMLFormFiller(data={'foo': ['bar']})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
67 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
68 <input type="hidden" name="foo" value="bar"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
69 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
70
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
71 def test_fill_textarea_no_value(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
72 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
73 <textarea name="foo"></textarea>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
74 </p></form>""") | HTMLFormFiller()
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
75 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
76 <textarea name="foo"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
77 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
78
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
79 def test_fill_textarea_single_value(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
80 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
81 <textarea name="foo"></textarea>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
82 </p></form>""") | HTMLFormFiller(data={'foo': 'bar'})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
83 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
84 <textarea name="foo">bar</textarea>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
85 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
86
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
87 def test_fill_textarea_multi_value(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
88 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
89 <textarea name="foo"></textarea>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
90 </p></form>""") | HTMLFormFiller(data={'foo': ['bar']})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
91 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
92 <textarea name="foo">bar</textarea>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
93 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
94
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
95 def test_fill_textarea_multiple(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
96 # Ensure that the subsequent textarea doesn't get the data from the
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
97 # first
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
98 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
99 <textarea name="foo"></textarea>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
100 <textarea name="bar"></textarea>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
101 </p></form>""") | HTMLFormFiller(data={'foo': 'Some text'})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
102 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
103 <textarea name="foo">Some text</textarea>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
104 <textarea name="bar"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
105 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
106
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
107 def test_fill_textarea_preserve_original(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
108 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
109 <textarea name="foo"></textarea>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
110 <textarea name="bar">Original value</textarea>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
111 </p></form>""") | HTMLFormFiller(data={'foo': 'Some text'})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
112 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
113 <textarea name="foo">Some text</textarea>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
114 <textarea name="bar">Original value</textarea>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
115 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
116
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
117 def test_fill_input_checkbox_single_value_auto_no_value(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
118 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
119 <input type="checkbox" name="foo" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
120 </p></form>""") | HTMLFormFiller()
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
121 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
122 <input type="checkbox" name="foo"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
123 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
124
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
125 def test_fill_input_checkbox_single_value_auto(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
126 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
127 <input type="checkbox" name="foo" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
128 </p></form>""")
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
129 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
130 <input type="checkbox" name="foo"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
131 </p></form>""", (html | HTMLFormFiller(data={'foo': ''})).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
132 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
133 <input type="checkbox" name="foo" checked="checked"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
134 </p></form>""", (html | HTMLFormFiller(data={'foo': 'on'})).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
135
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
136 def test_fill_input_checkbox_single_value_defined(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
137 html = HTML("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
138 <input type="checkbox" name="foo" value="1" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
139 </p></form>""", encoding='ascii')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
140 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
141 <input type="checkbox" name="foo" value="1" checked="checked"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
142 </p></form>""", (html | HTMLFormFiller(data={'foo': '1'})).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
143 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
144 <input type="checkbox" name="foo" value="1"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
145 </p></form>""", (html | HTMLFormFiller(data={'foo': '2'})).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
146
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
147 def test_fill_input_checkbox_multi_value_auto(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
148 html = HTML("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
149 <input type="checkbox" name="foo" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
150 </p></form>""", encoding='ascii')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
151 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
152 <input type="checkbox" name="foo"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
153 </p></form>""", (html | HTMLFormFiller(data={'foo': []})).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
154 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
155 <input type="checkbox" name="foo" checked="checked"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
156 </p></form>""", (html | HTMLFormFiller(data={'foo': ['on']})).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
157
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
158 def test_fill_input_checkbox_multi_value_defined(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
159 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
160 <input type="checkbox" name="foo" value="1" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
161 </p></form>""")
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
162 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
163 <input type="checkbox" name="foo" value="1" checked="checked"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
164 </p></form>""", (html | HTMLFormFiller(data={'foo': ['1']})).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
165 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
166 <input type="checkbox" name="foo" value="1"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
167 </p></form>""", (html | HTMLFormFiller(data={'foo': ['2']})).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
168
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
169 def test_fill_input_radio_no_value(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
170 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
171 <input type="radio" name="foo" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
172 </p></form>""") | HTMLFormFiller()
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
173 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
174 <input type="radio" name="foo"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
175 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
176
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
177 def test_fill_input_radio_single_value(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
178 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
179 <input type="radio" name="foo" value="1" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
180 </p></form>""")
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
181 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
182 <input type="radio" name="foo" value="1" checked="checked"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
183 </p></form>""", (html | HTMLFormFiller(data={'foo': '1'})).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
184 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
185 <input type="radio" name="foo" value="1"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
186 </p></form>""", (html | HTMLFormFiller(data={'foo': '2'})).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
187
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
188 def test_fill_input_radio_multi_value(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
189 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
190 <input type="radio" name="foo" value="1" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
191 </p></form>""")
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
192 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
193 <input type="radio" name="foo" value="1" checked="checked"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
194 </p></form>""", (html | HTMLFormFiller(data={'foo': ['1']})).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
195 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
196 <input type="radio" name="foo" value="1"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
197 </p></form>""", (html | HTMLFormFiller(data={'foo': ['2']})).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
198
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
199 def test_fill_input_radio_empty_string(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
200 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
201 <input type="radio" name="foo" value="" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
202 </p></form>""")
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
203 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
204 <input type="radio" name="foo" value="" checked="checked"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
205 </p></form>""", (html | HTMLFormFiller(data={'foo': ''})).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
206
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
207 def test_fill_input_radio_multi_empty_string(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
208 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
209 <input type="radio" name="foo" value="" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
210 </p></form>""")
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
211 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
212 <input type="radio" name="foo" value="" checked="checked"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
213 </p></form>""", (html | HTMLFormFiller(data={'foo': ['']})).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
214
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
215 def test_fill_select_no_value_auto(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
216 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
217 <select name="foo">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
218 <option>1</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
219 <option>2</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
220 <option>3</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
221 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
222 </p></form>""") | HTMLFormFiller()
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
223 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
224 <select name="foo">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
225 <option>1</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
226 <option>2</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
227 <option>3</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
228 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
229 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
230
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
231 def test_fill_select_no_value_defined(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
232 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
233 <select name="foo">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
234 <option value="1">1</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
235 <option value="2">2</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
236 <option value="3">3</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
237 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
238 </p></form>""") | HTMLFormFiller()
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
239 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
240 <select name="foo">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
241 <option value="1">1</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
242 <option value="2">2</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
243 <option value="3">3</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
244 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
245 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
246
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
247 def test_fill_select_single_value_auto(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
248 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
249 <select name="foo">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
250 <option>1</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
251 <option>2</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
252 <option>3</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
253 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
254 </p></form>""") | HTMLFormFiller(data={'foo': '1'})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
255 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
256 <select name="foo">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
257 <option selected="selected">1</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
258 <option>2</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
259 <option>3</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
260 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
261 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
262
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
263 def test_fill_select_single_value_defined(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
264 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
265 <select name="foo">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
266 <option value="1">1</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
267 <option value="2">2</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
268 <option value="3">3</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
269 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
270 </p></form>""") | HTMLFormFiller(data={'foo': '1'})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
271 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
272 <select name="foo">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
273 <option value="1" selected="selected">1</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
274 <option value="2">2</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
275 <option value="3">3</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
276 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
277 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
278
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
279 def test_fill_select_multi_value_auto(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
280 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
281 <select name="foo" multiple>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
282 <option>1</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
283 <option>2</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
284 <option>3</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
285 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
286 </p></form>""") | HTMLFormFiller(data={'foo': ['1', '3']})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
287 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
288 <select name="foo" multiple="multiple">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
289 <option selected="selected">1</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
290 <option>2</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
291 <option selected="selected">3</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
292 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
293 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
294
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
295 def test_fill_select_multi_value_defined(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
296 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
297 <select name="foo" multiple>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
298 <option value="1">1</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
299 <option value="2">2</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
300 <option value="3">3</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
301 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
302 </p></form>""") | HTMLFormFiller(data={'foo': ['1', '3']})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
303 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
304 <select name="foo" multiple="multiple">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
305 <option value="1" selected="selected">1</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
306 <option value="2">2</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
307 <option value="3" selected="selected">3</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
308 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
309 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
310
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
311 def test_fill_option_segmented_text(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
312 html = MarkupTemplate(u"""<form>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
313 <select name="foo">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
314 <option value="1">foo $x</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
315 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
316 </form>""").generate(x=1) | HTMLFormFiller(data={'foo': '1'})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
317 self.assertEquals(u"""<form>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
318 <select name="foo">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
319 <option value="1" selected="selected">foo 1</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
320 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
321 </form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
322
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
323 def test_fill_option_segmented_text_no_value(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
324 html = MarkupTemplate("""<form>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
325 <select name="foo">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
326 <option>foo $x bar</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
327 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
328 </form>""").generate(x=1) | HTMLFormFiller(data={'foo': 'foo 1 bar'})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
329 self.assertEquals("""<form>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
330 <select name="foo">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
331 <option selected="selected">foo 1 bar</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
332 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
333 </form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
334
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
335 def test_fill_option_unicode_value(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
336 html = HTML(u"""<form>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
337 <select name="foo">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
338 <option value="&ouml;">foo</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
339 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
340 </form>""") | HTMLFormFiller(data={'foo': u'ö'})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
341 self.assertEquals(u"""<form>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
342 <select name="foo">
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
343 <option value="ö" selected="selected">foo</option>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
344 </select>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
345 </form>""", html.render(encoding=None))
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
346
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
347 def test_fill_input_password_disabled(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
348 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
349 <input type="password" name="pass" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
350 </p></form>""") | HTMLFormFiller(data={'pass': 'bar'})
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
351 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
352 <input type="password" name="pass"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
353 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
354
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
355 def test_fill_input_password_enabled(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
356 html = HTML(u"""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
357 <input type="password" name="pass" />
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
358 </p></form>""") | HTMLFormFiller(data={'pass': '1234'}, passwords=True)
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
359 self.assertEquals("""<form><p>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
360 <input type="password" name="pass" value="1234"/>
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
361 </p></form>""", html.render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
362
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
363
949
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
364 def StyleSanitizer():
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
365 safe_attrs = HTMLSanitizer.SAFE_ATTRS | frozenset(['style'])
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
366 return HTMLSanitizer(safe_attrs=safe_attrs)
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
367
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
368
933
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
369 class HTMLSanitizerTestCase(unittest.TestCase):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
370
1020
6c1d10d2fc52 Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
hodgestar
parents: 963
diff changeset
371 def assert_parse_error_or_equal(self, expected, exploit,
6c1d10d2fc52 Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
hodgestar
parents: 963
diff changeset
372 allow_strip=False):
963
99d4c481e4eb Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents: 949
diff changeset
373 try:
99d4c481e4eb Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents: 949
diff changeset
374 html = HTML(exploit)
99d4c481e4eb Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents: 949
diff changeset
375 except ParseError:
99d4c481e4eb Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents: 949
diff changeset
376 return
1020
6c1d10d2fc52 Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
hodgestar
parents: 963
diff changeset
377 sanitized_html = (html | HTMLSanitizer()).render()
6c1d10d2fc52 Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
hodgestar
parents: 963
diff changeset
378 if not sanitized_html and allow_strip:
6c1d10d2fc52 Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
hodgestar
parents: 963
diff changeset
379 return
6c1d10d2fc52 Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
hodgestar
parents: 963
diff changeset
380 self.assertEquals(expected, sanitized_html)
963
99d4c481e4eb Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents: 949
diff changeset
381
933
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
382 def test_sanitize_unchanged(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
383 html = HTML(u'<a href="#">fo<br />o</a>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
384 self.assertEquals('<a href="#">fo<br/>o</a>',
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
385 (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
386 html = HTML(u'<a href="#with:colon">foo</a>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
387 self.assertEquals('<a href="#with:colon">foo</a>',
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
388 (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
389
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
390 def test_sanitize_escape_text(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
391 html = HTML(u'<a href="#">fo&amp;</a>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
392 self.assertEquals('<a href="#">fo&amp;</a>',
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
393 (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
394 html = HTML(u'<a href="#">&lt;foo&gt;</a>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
395 self.assertEquals('<a href="#">&lt;foo&gt;</a>',
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
396 (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
397
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
398 def test_sanitize_entityref_text(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
399 html = HTML(u'<a href="#">fo&ouml;</a>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
400 self.assertEquals(u'<a href="#">foö</a>',
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
401 (html | HTMLSanitizer()).render(encoding=None))
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
402
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
403 def test_sanitize_escape_attr(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
404 html = HTML(u'<div title="&lt;foo&gt;"></div>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
405 self.assertEquals('<div title="&lt;foo&gt;"/>',
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
406 (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
407
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
408 def test_sanitize_close_empty_tag(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
409 html = HTML(u'<a href="#">fo<br>o</a>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
410 self.assertEquals('<a href="#">fo<br/>o</a>',
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
411 (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
412
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
413 def test_sanitize_invalid_entity(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
414 html = HTML(u'&junk;')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
415 self.assertEquals('&amp;junk;', (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
416
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
417 def test_sanitize_remove_script_elem(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
418 html = HTML(u'<script>alert("Foo")</script>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
419 self.assertEquals('', (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
420 html = HTML(u'<SCRIPT SRC="http://example.com/"></SCRIPT>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
421 self.assertEquals('', (html | HTMLSanitizer()).render())
963
99d4c481e4eb Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents: 949
diff changeset
422 src = u'<SCR\0IPT>alert("foo")</SCR\0IPT>'
1020
6c1d10d2fc52 Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
hodgestar
parents: 963
diff changeset
423 self.assert_parse_error_or_equal('&lt;SCR\x00IPT&gt;alert("foo")', src,
6c1d10d2fc52 Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
hodgestar
parents: 963
diff changeset
424 allow_strip=True)
963
99d4c481e4eb Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents: 949
diff changeset
425 src = u'<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>'
99d4c481e4eb Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents: 949
diff changeset
426 self.assert_parse_error_or_equal('&lt;SCRIPT&amp;XYZ; '
1020
6c1d10d2fc52 Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
hodgestar
parents: 963
diff changeset
427 'SRC="http://example.com/"&gt;', src,
6c1d10d2fc52 Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
hodgestar
parents: 963
diff changeset
428 allow_strip=True)
933
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
429
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
430 def test_sanitize_remove_onclick_attr(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
431 html = HTML(u'<div onclick=\'alert("foo")\' />')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
432 self.assertEquals('<div/>', (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
433
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
434 def test_sanitize_remove_input_password(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
435 html = HTML(u'<form><input type="password" /></form>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
436 self.assertEquals('<form/>', (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
437
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
438 def test_sanitize_remove_comments(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
439 html = HTML(u'''<div><!-- conditional comment crap --></div>''')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
440 self.assertEquals('<div/>', (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
441
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
442 def test_sanitize_remove_style_scripts(self):
949
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
443 sanitizer = StyleSanitizer()
933
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
444 # Inline style with url() using javascript: scheme
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
445 html = HTML(u'<DIV STYLE=\'background: url(javascript:alert("foo"))\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
446 self.assertEquals('<div/>', (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
447 # Inline style with url() using javascript: scheme, using control char
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
448 html = HTML(u'<DIV STYLE=\'background: url(&#1;javascript:alert("foo"))\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
449 self.assertEquals('<div/>', (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
450 # Inline style with url() using javascript: scheme, in quotes
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
451 html = HTML(u'<DIV STYLE=\'background: url("javascript:alert(foo)")\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
452 self.assertEquals('<div/>', (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
453 # IE expressions in CSS not allowed
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
454 html = HTML(u'<DIV STYLE=\'width: expression(alert("foo"));\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
455 self.assertEquals('<div/>', (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
456 html = HTML(u'<DIV STYLE=\'width: e/**/xpression(alert("foo"));\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
457 self.assertEquals('<div/>', (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
458 html = HTML(u'<DIV STYLE=\'background: url(javascript:alert("foo"));'
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
459 'color: #fff\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
460 self.assertEquals('<div style="color: #fff"/>',
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
461 (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
462 # Inline style with url() using javascript: scheme, using unicode
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
463 # escapes
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
464 html = HTML(u'<DIV STYLE=\'background: \\75rl(javascript:alert("foo"))\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
465 self.assertEquals('<div/>', (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
466 html = HTML(u'<DIV STYLE=\'background: \\000075rl(javascript:alert("foo"))\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
467 self.assertEquals('<div/>', (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
468 html = HTML(u'<DIV STYLE=\'background: \\75 rl(javascript:alert("foo"))\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
469 self.assertEquals('<div/>', (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
470 html = HTML(u'<DIV STYLE=\'background: \\000075 rl(javascript:alert("foo"))\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
471 self.assertEquals('<div/>', (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
472 html = HTML(u'<DIV STYLE=\'background: \\000075\r\nrl(javascript:alert("foo"))\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
473 self.assertEquals('<div/>', (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
474
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
475 def test_sanitize_remove_style_phishing(self):
949
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
476 sanitizer = StyleSanitizer()
933
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
477 # The position property is not allowed
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
478 html = HTML(u'<div style="position:absolute;top:0"></div>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
479 self.assertEquals('<div style="top:0"/>', (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
480 # Normal margins get passed through
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
481 html = HTML(u'<div style="margin:10px 20px"></div>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
482 self.assertEquals('<div style="margin:10px 20px"/>',
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
483 (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
484 # But not negative margins
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
485 html = HTML(u'<div style="margin:-1000px 0 0"></div>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
486 self.assertEquals('<div/>', (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
487 html = HTML(u'<div style="margin-left:-2000px 0 0"></div>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
488 self.assertEquals('<div/>', (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
489 html = HTML(u'<div style="margin-left:1em 1em 1em -4000px"></div>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
490 self.assertEquals('<div/>', (html | sanitizer).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
491
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
492 def test_sanitize_remove_src_javascript(self):
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
493 html = HTML(u'<img src=\'javascript:alert("foo")\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
494 self.assertEquals('<img/>', (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
495 # Case-insensitive protocol matching
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
496 html = HTML(u'<IMG SRC=\'JaVaScRiPt:alert("foo")\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
497 self.assertEquals('<img/>', (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
498 # Grave accents (not parsed)
963
99d4c481e4eb Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents: 949
diff changeset
499 src = u'<IMG SRC=`javascript:alert("RSnake says, \'foo\'")`>'
99d4c481e4eb Fix HTMLSanitizer tests for Python 2.7 (fixes #501).
hodgestar
parents: 949
diff changeset
500 self.assert_parse_error_or_equal('<img/>', src)
933
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
501 # Protocol encoded using UTF-8 numeric entities
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
502 html = HTML(u'<IMG SRC=\'&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;'
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
503 '&#112;&#116;&#58;alert("foo")\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
504 self.assertEquals('<img/>', (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
505 # Protocol encoded using UTF-8 numeric entities without a semicolon
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
506 # (which is allowed because the max number of digits is used)
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
507 html = HTML(u'<IMG SRC=\'&#0000106&#0000097&#0000118&#0000097'
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
508 '&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116'
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
509 '&#0000058alert("foo")\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
510 self.assertEquals('<img/>', (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
511 # Protocol encoded using UTF-8 numeric hex entities without a semicolon
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
512 # (which is allowed because the max number of digits is used)
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
513 html = HTML(u'<IMG SRC=\'&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69'
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
514 '&#x70&#x74&#x3A;alert("foo")\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
515 self.assertEquals('<img/>', (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
516 # Embedded tab character in protocol
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
517 html = HTML(u'<IMG SRC=\'jav\tascript:alert("foo");\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
518 self.assertEquals('<img/>', (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
519 # Embedded tab character in protocol, but encoded this time
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
520 html = HTML(u'<IMG SRC=\'jav&#x09;ascript:alert("foo");\'>')
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
521 self.assertEquals('<img/>', (html | HTMLSanitizer()).render())
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
522
949
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
523 def test_sanitize_expression(self):
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
524 html = HTML(ur'<div style="top:expression(alert())">XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
525 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
526
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
527 def test_capital_expression(self):
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
528 html = HTML(ur'<div style="top:EXPRESSION(alert())">XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
529 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
530
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
531 def test_sanitize_url_with_javascript(self):
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
532 html = HTML(u'<div style="background-image:url(javascript:alert())">'
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
533 u'XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
534 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
535
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
536 def test_sanitize_capital_url_with_javascript(self):
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
537 html = HTML(u'<div style="background-image:URL(javascript:alert())">'
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
538 u'XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
539 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
540
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
541 def test_sanitize_unicode_escapes(self):
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
542 html = HTML(ur'<div style="top:exp\72 ess\000069 on(alert())">'
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
543 ur'XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
544 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
545
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
546 def test_sanitize_backslash_without_hex(self):
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
547 html = HTML(ur'<div style="top:e\xp\ression(alert())">XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
548 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
549 html = HTML(ur'<div style="top:e\\xp\\ression(alert())">XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
550 self.assertEqual(r'<div style="top:e\\xp\\ression(alert())">'
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
551 'XSS</div>',
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
552 unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
553
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
554 def test_sanitize_unsafe_props(self):
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
555 html = HTML(u'<div style="POSITION:RELATIVE">XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
556 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
557
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
558 html = HTML(u'<div style="behavior:url(test.htc)">XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
559 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
560
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
561 html = HTML(u'<div style="-ms-behavior:url(test.htc) url(#obj)">'
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
562 u'XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
563 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
564
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
565 html = HTML(u"""<div style="-o-link:'javascript:alert(1)';"""
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
566 u"""-o-link-source:current">XSS</div>""")
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
567 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
568
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
569 html = HTML(u"""<div style="-moz-binding:url(xss.xbl)">XSS</div>""")
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
570 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
571
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
572 def test_sanitize_negative_margin(self):
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
573 html = HTML(u'<div style="margin-top:-9999px">XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
574 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
575 html = HTML(u'<div style="margin:0 -9999px">XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
576 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
577
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
578 def test_sanitize_css_hack(self):
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
579 html = HTML(u'<div style="*position:static">XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
580 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
581
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
582 html = HTML(u'<div style="_margin:-10px">XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
583 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
584
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
585 def test_sanitize_property_name(self):
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
586 html = HTML(u'<div style="display:none;border-left-color:red;'
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
587 u'user_defined:1;-moz-user-selct:-moz-all">prop</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
588 self.assertEqual('<div style="display:none; border-left-color:red'
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
589 '">prop</div>',
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
590 unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
591
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
592 def test_sanitize_unicode_expression(self):
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
593 # Fullwidth small letters
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
594 html = HTML(u'<div style="top:expression(alert())">'
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
595 u'XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
596 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
597 # Fullwidth capital letters
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
598 html = HTML(u'<div style="top:EXPRESSION(alert())">'
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
599 u'XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
600 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
601 # IPA extensions
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
602 html = HTML(u'<div style="top:expʀessɪoɴ(alert())">'
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
603 u'XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
604 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
605
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
606 def test_sanitize_unicode_url(self):
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
607 # IPA extensions
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
608 html = HTML(u'<div style="background-image:uʀʟ(javascript:alert())">'
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
609 u'XSS</div>')
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
610 self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer()))
8bc6f32fdd45 Improve sanitizing of CSS in style attributes (note that the Genshi documentation already warns users that enabling the style attribute is dangerous -- now it is slightly less dangerous). Fixes #455. Patch taken from jomae's Trac commit trac:r10788 and modified for Genshi -- thanks!
hodgestar
parents: 933
diff changeset
611
933
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
612
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
613 def suite():
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
614 suite = unittest.TestSuite()
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
615 suite.addTest(doctest.DocTestSuite(HTMLFormFiller.__module__))
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
616 suite.addTest(unittest.makeSuite(HTMLFormFillerTestCase, 'test'))
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
617 suite.addTest(unittest.makeSuite(HTMLSanitizerTestCase, 'test'))
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
618 return suite
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
619
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
620
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
621 if __name__ == '__main__':
1e8c33345e52 Merge r1141 from py3k:
hodgestar
parents:
diff changeset
622 unittest.main(defaultTest='suite')
Copyright (C) 2012-2017 Edgewall Software