Mercurial > genshi > mirror
comparison genshi/filters/tests/test_html.py @ 1020:6c1d10d2fc52 trunk
Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
| author | hodgestar |
|---|---|
| date | Sun, 16 Feb 2014 18:25:17 +0000 |
| parents | 99d4c481e4eb |
| children |
comparison
equal
deleted
inserted
replaced
| 1019:ad96321e4d2b | 1020:6c1d10d2fc52 |
|---|---|
| 366 return HTMLSanitizer(safe_attrs=safe_attrs) | 366 return HTMLSanitizer(safe_attrs=safe_attrs) |
| 367 | 367 |
| 368 | 368 |
| 369 class HTMLSanitizerTestCase(unittest.TestCase): | 369 class HTMLSanitizerTestCase(unittest.TestCase): |
| 370 | 370 |
| 371 def assert_parse_error_or_equal(self, expected, exploit): | 371 def assert_parse_error_or_equal(self, expected, exploit, |
| 372 allow_strip=False): | |
| 372 try: | 373 try: |
| 373 html = HTML(exploit) | 374 html = HTML(exploit) |
| 374 except ParseError: | 375 except ParseError: |
| 375 return | 376 return |
| 376 self.assertEquals(expected, (html | HTMLSanitizer()).render()) | 377 sanitized_html = (html | HTMLSanitizer()).render() |
| 378 if not sanitized_html and allow_strip: | |
| 379 return | |
| 380 self.assertEquals(expected, sanitized_html) | |
| 377 | 381 |
| 378 def test_sanitize_unchanged(self): | 382 def test_sanitize_unchanged(self): |
| 379 html = HTML(u'<a href="#">fo<br />o</a>') | 383 html = HTML(u'<a href="#">fo<br />o</a>') |
| 380 self.assertEquals('<a href="#">fo<br/>o</a>', | 384 self.assertEquals('<a href="#">fo<br/>o</a>', |
| 381 (html | HTMLSanitizer()).render()) | 385 (html | HTMLSanitizer()).render()) |
| 414 html = HTML(u'<script>alert("Foo")</script>') | 418 html = HTML(u'<script>alert("Foo")</script>') |
| 415 self.assertEquals('', (html | HTMLSanitizer()).render()) | 419 self.assertEquals('', (html | HTMLSanitizer()).render()) |
| 416 html = HTML(u'<SCRIPT SRC="http://example.com/"></SCRIPT>') | 420 html = HTML(u'<SCRIPT SRC="http://example.com/"></SCRIPT>') |
| 417 self.assertEquals('', (html | HTMLSanitizer()).render()) | 421 self.assertEquals('', (html | HTMLSanitizer()).render()) |
| 418 src = u'<SCR\0IPT>alert("foo")</SCR\0IPT>' | 422 src = u'<SCR\0IPT>alert("foo")</SCR\0IPT>' |
| 419 self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src) | 423 self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src, |
| 424 allow_strip=True) | |
| 420 src = u'<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>' | 425 src = u'<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>' |
| 421 self.assert_parse_error_or_equal('<SCRIPT&XYZ; ' | 426 self.assert_parse_error_or_equal('<SCRIPT&XYZ; ' |
| 422 'SRC="http://example.com/">', src) | 427 'SRC="http://example.com/">', src, |
| 428 allow_strip=True) | |
| 423 | 429 |
| 424 def test_sanitize_remove_onclick_attr(self): | 430 def test_sanitize_remove_onclick_attr(self): |
| 425 html = HTML(u'<div onclick=\'alert("foo")\' />') | 431 html = HTML(u'<div onclick=\'alert("foo")\' />') |
| 426 self.assertEquals('<div/>', (html | HTMLSanitizer()).render()) | 432 self.assertEquals('<div/>', (html | HTMLSanitizer()).render()) |
| 427 | 433 |