Mercurial > genshi > mirror
comparison genshi/filters/tests/test_html.py @ 1020:6c1d10d2fc52 trunk
Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
author | hodgestar |
---|---|
date | Sun, 16 Feb 2014 18:25:17 +0000 |
parents | 99d4c481e4eb |
children |
comparison
equal
deleted
inserted
replaced
1019:ad96321e4d2b | 1020:6c1d10d2fc52 |
---|---|
366 return HTMLSanitizer(safe_attrs=safe_attrs) | 366 return HTMLSanitizer(safe_attrs=safe_attrs) |
367 | 367 |
368 | 368 |
369 class HTMLSanitizerTestCase(unittest.TestCase): | 369 class HTMLSanitizerTestCase(unittest.TestCase): |
370 | 370 |
371 def assert_parse_error_or_equal(self, expected, exploit): | 371 def assert_parse_error_or_equal(self, expected, exploit, |
372 allow_strip=False): | |
372 try: | 373 try: |
373 html = HTML(exploit) | 374 html = HTML(exploit) |
374 except ParseError: | 375 except ParseError: |
375 return | 376 return |
376 self.assertEquals(expected, (html | HTMLSanitizer()).render()) | 377 sanitized_html = (html | HTMLSanitizer()).render() |
378 if not sanitized_html and allow_strip: | |
379 return | |
380 self.assertEquals(expected, sanitized_html) | |
377 | 381 |
378 def test_sanitize_unchanged(self): | 382 def test_sanitize_unchanged(self): |
379 html = HTML(u'<a href="#">fo<br />o</a>') | 383 html = HTML(u'<a href="#">fo<br />o</a>') |
380 self.assertEquals('<a href="#">fo<br/>o</a>', | 384 self.assertEquals('<a href="#">fo<br/>o</a>', |
381 (html | HTMLSanitizer()).render()) | 385 (html | HTMLSanitizer()).render()) |
414 html = HTML(u'<script>alert("Foo")</script>') | 418 html = HTML(u'<script>alert("Foo")</script>') |
415 self.assertEquals('', (html | HTMLSanitizer()).render()) | 419 self.assertEquals('', (html | HTMLSanitizer()).render()) |
416 html = HTML(u'<SCRIPT SRC="http://example.com/"></SCRIPT>') | 420 html = HTML(u'<SCRIPT SRC="http://example.com/"></SCRIPT>') |
417 self.assertEquals('', (html | HTMLSanitizer()).render()) | 421 self.assertEquals('', (html | HTMLSanitizer()).render()) |
418 src = u'<SCR\0IPT>alert("foo")</SCR\0IPT>' | 422 src = u'<SCR\0IPT>alert("foo")</SCR\0IPT>' |
419 self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src) | 423 self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src, |
424 allow_strip=True) | |
420 src = u'<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>' | 425 src = u'<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>' |
421 self.assert_parse_error_or_equal('<SCRIPT&XYZ; ' | 426 self.assert_parse_error_or_equal('<SCRIPT&XYZ; ' |
422 'SRC="http://example.com/">', src) | 427 'SRC="http://example.com/">', src, |
428 allow_strip=True) | |
423 | 429 |
424 def test_sanitize_remove_onclick_attr(self): | 430 def test_sanitize_remove_onclick_attr(self): |
425 html = HTML(u'<div onclick=\'alert("foo")\' />') | 431 html = HTML(u'<div onclick=\'alert("foo")\' />') |
426 self.assertEquals('<div/>', (html | HTMLSanitizer()).render()) | 432 self.assertEquals('<div/>', (html | HTMLSanitizer()).render()) |
427 | 433 |