Mercurial > genshi > mirror
view genshi/filters/tests/test_html.py @ 1026:2e169deb0adc stable-0.7.x
Merge r1229 to r1238 and r1243 to r1251 from trunk (documentation fixes and Python 3.4 support).
| author | hodgestar |
|---|---|
| date | Sun, 09 Mar 2014 08:41:45 +0000 |
| parents | 99d4c481e4eb |
| children |
line wrap: on
line source
# -*- coding: utf-8 -*- # # Copyright (C) 2006-2009 Edgewall Software # All rights reserved. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms # are also available at http://genshi.edgewall.org/wiki/License. # # This software consists of voluntary contributions made by many # individuals. For the exact contribution history, see the revision # history and logs, available at http://genshi.edgewall.org/log/. import doctest import unittest from genshi.input import HTML, ParseError from genshi.filters.html import HTMLFormFiller, HTMLSanitizer from genshi.template import MarkupTemplate class HTMLFormFillerTestCase(unittest.TestCase): def test_fill_input_text_no_value(self): html = HTML(u"""<form><p> <input type="text" name="foo" /> </p></form>""") | HTMLFormFiller() self.assertEquals("""<form><p> <input type="text" name="foo"/> </p></form>""", html.render()) def test_fill_input_text_single_value(self): html = HTML(u"""<form><p> <input type="text" name="foo" /> </p></form>""") | HTMLFormFiller(data={'foo': 'bar'}) self.assertEquals("""<form><p> <input type="text" name="foo" value="bar"/> </p></form>""", html.render()) def test_fill_input_text_multi_value(self): html = HTML(u"""<form><p> <input type="text" name="foo" /> </p></form>""") | HTMLFormFiller(data={'foo': ['bar']}) self.assertEquals("""<form><p> <input type="text" name="foo" value="bar"/> </p></form>""", html.render()) def test_fill_input_hidden_no_value(self): html = HTML(u"""<form><p> <input type="hidden" name="foo" /> </p></form>""") | HTMLFormFiller() self.assertEquals("""<form><p> <input type="hidden" name="foo"/> </p></form>""", html.render()) def test_fill_input_hidden_single_value(self): html = HTML(u"""<form><p> <input type="hidden" name="foo" /> </p></form>""") | HTMLFormFiller(data={'foo': 'bar'}) self.assertEquals("""<form><p> <input type="hidden" name="foo" value="bar"/> </p></form>""", html.render()) def test_fill_input_hidden_multi_value(self): html = HTML(u"""<form><p> <input type="hidden" name="foo" /> </p></form>""") | HTMLFormFiller(data={'foo': ['bar']}) self.assertEquals("""<form><p> <input type="hidden" name="foo" value="bar"/> </p></form>""", html.render()) def test_fill_textarea_no_value(self): html = HTML(u"""<form><p> <textarea name="foo"></textarea> </p></form>""") | HTMLFormFiller() self.assertEquals("""<form><p> <textarea name="foo"/> </p></form>""", html.render()) def test_fill_textarea_single_value(self): html = HTML(u"""<form><p> <textarea name="foo"></textarea> </p></form>""") | HTMLFormFiller(data={'foo': 'bar'}) self.assertEquals("""<form><p> <textarea name="foo">bar</textarea> </p></form>""", html.render()) def test_fill_textarea_multi_value(self): html = HTML(u"""<form><p> <textarea name="foo"></textarea> </p></form>""") | HTMLFormFiller(data={'foo': ['bar']}) self.assertEquals("""<form><p> <textarea name="foo">bar</textarea> </p></form>""", html.render()) def test_fill_textarea_multiple(self): # Ensure that the subsequent textarea doesn't get the data from the # first html = HTML(u"""<form><p> <textarea name="foo"></textarea> <textarea name="bar"></textarea> </p></form>""") | HTMLFormFiller(data={'foo': 'Some text'}) self.assertEquals("""<form><p> <textarea name="foo">Some text</textarea> <textarea name="bar"/> </p></form>""", html.render()) def test_fill_textarea_preserve_original(self): html = HTML(u"""<form><p> <textarea name="foo"></textarea> <textarea name="bar">Original value</textarea> </p></form>""") | HTMLFormFiller(data={'foo': 'Some text'}) self.assertEquals("""<form><p> <textarea name="foo">Some text</textarea> <textarea name="bar">Original value</textarea> </p></form>""", html.render()) def test_fill_input_checkbox_single_value_auto_no_value(self): html = HTML(u"""<form><p> <input type="checkbox" name="foo" /> </p></form>""") | HTMLFormFiller() self.assertEquals("""<form><p> <input type="checkbox" name="foo"/> </p></form>""", html.render()) def test_fill_input_checkbox_single_value_auto(self): html = HTML(u"""<form><p> <input type="checkbox" name="foo" /> </p></form>""") self.assertEquals("""<form><p> <input type="checkbox" name="foo"/> </p></form>""", (html | HTMLFormFiller(data={'foo': ''})).render()) self.assertEquals("""<form><p> <input type="checkbox" name="foo" checked="checked"/> </p></form>""", (html | HTMLFormFiller(data={'foo': 'on'})).render()) def test_fill_input_checkbox_single_value_defined(self): html = HTML("""<form><p> <input type="checkbox" name="foo" value="1" /> </p></form>""", encoding='ascii') self.assertEquals("""<form><p> <input type="checkbox" name="foo" value="1" checked="checked"/> </p></form>""", (html | HTMLFormFiller(data={'foo': '1'})).render()) self.assertEquals("""<form><p> <input type="checkbox" name="foo" value="1"/> </p></form>""", (html | HTMLFormFiller(data={'foo': '2'})).render()) def test_fill_input_checkbox_multi_value_auto(self): html = HTML("""<form><p> <input type="checkbox" name="foo" /> </p></form>""", encoding='ascii') self.assertEquals("""<form><p> <input type="checkbox" name="foo"/> </p></form>""", (html | HTMLFormFiller(data={'foo': []})).render()) self.assertEquals("""<form><p> <input type="checkbox" name="foo" checked="checked"/> </p></form>""", (html | HTMLFormFiller(data={'foo': ['on']})).render()) def test_fill_input_checkbox_multi_value_defined(self): html = HTML(u"""<form><p> <input type="checkbox" name="foo" value="1" /> </p></form>""") self.assertEquals("""<form><p> <input type="checkbox" name="foo" value="1" checked="checked"/> </p></form>""", (html | HTMLFormFiller(data={'foo': ['1']})).render()) self.assertEquals("""<form><p> <input type="checkbox" name="foo" value="1"/> </p></form>""", (html | HTMLFormFiller(data={'foo': ['2']})).render()) def test_fill_input_radio_no_value(self): html = HTML(u"""<form><p> <input type="radio" name="foo" /> </p></form>""") | HTMLFormFiller() self.assertEquals("""<form><p> <input type="radio" name="foo"/> </p></form>""", html.render()) def test_fill_input_radio_single_value(self): html = HTML(u"""<form><p> <input type="radio" name="foo" value="1" /> </p></form>""") self.assertEquals("""<form><p> <input type="radio" name="foo" value="1" checked="checked"/> </p></form>""", (html | HTMLFormFiller(data={'foo': '1'})).render()) self.assertEquals("""<form><p> <input type="radio" name="foo" value="1"/> </p></form>""", (html | HTMLFormFiller(data={'foo': '2'})).render()) def test_fill_input_radio_multi_value(self): html = HTML(u"""<form><p> <input type="radio" name="foo" value="1" /> </p></form>""") self.assertEquals("""<form><p> <input type="radio" name="foo" value="1" checked="checked"/> </p></form>""", (html | HTMLFormFiller(data={'foo': ['1']})).render()) self.assertEquals("""<form><p> <input type="radio" name="foo" value="1"/> </p></form>""", (html | HTMLFormFiller(data={'foo': ['2']})).render()) def test_fill_input_radio_empty_string(self): html = HTML(u"""<form><p> <input type="radio" name="foo" value="" /> </p></form>""") self.assertEquals("""<form><p> <input type="radio" name="foo" value="" checked="checked"/> </p></form>""", (html | HTMLFormFiller(data={'foo': ''})).render()) def test_fill_input_radio_multi_empty_string(self): html = HTML(u"""<form><p> <input type="radio" name="foo" value="" /> </p></form>""") self.assertEquals("""<form><p> <input type="radio" name="foo" value="" checked="checked"/> </p></form>""", (html | HTMLFormFiller(data={'foo': ['']})).render()) def test_fill_select_no_value_auto(self): html = HTML(u"""<form><p> <select name="foo"> <option>1</option> <option>2</option> <option>3</option> </select> </p></form>""") | HTMLFormFiller() self.assertEquals("""<form><p> <select name="foo"> <option>1</option> <option>2</option> <option>3</option> </select> </p></form>""", html.render()) def test_fill_select_no_value_defined(self): html = HTML(u"""<form><p> <select name="foo"> <option value="1">1</option> <option value="2">2</option> <option value="3">3</option> </select> </p></form>""") | HTMLFormFiller() self.assertEquals("""<form><p> <select name="foo"> <option value="1">1</option> <option value="2">2</option> <option value="3">3</option> </select> </p></form>""", html.render()) def test_fill_select_single_value_auto(self): html = HTML(u"""<form><p> <select name="foo"> <option>1</option> <option>2</option> <option>3</option> </select> </p></form>""") | HTMLFormFiller(data={'foo': '1'}) self.assertEquals("""<form><p> <select name="foo"> <option selected="selected">1</option> <option>2</option> <option>3</option> </select> </p></form>""", html.render()) def test_fill_select_single_value_defined(self): html = HTML(u"""<form><p> <select name="foo"> <option value="1">1</option> <option value="2">2</option> <option value="3">3</option> </select> </p></form>""") | HTMLFormFiller(data={'foo': '1'}) self.assertEquals("""<form><p> <select name="foo"> <option value="1" selected="selected">1</option> <option value="2">2</option> <option value="3">3</option> </select> </p></form>""", html.render()) def test_fill_select_multi_value_auto(self): html = HTML(u"""<form><p> <select name="foo" multiple> <option>1</option> <option>2</option> <option>3</option> </select> </p></form>""") | HTMLFormFiller(data={'foo': ['1', '3']}) self.assertEquals("""<form><p> <select name="foo" multiple="multiple"> <option selected="selected">1</option> <option>2</option> <option selected="selected">3</option> </select> </p></form>""", html.render()) def test_fill_select_multi_value_defined(self): html = HTML(u"""<form><p> <select name="foo" multiple> <option value="1">1</option> <option value="2">2</option> <option value="3">3</option> </select> </p></form>""") | HTMLFormFiller(data={'foo': ['1', '3']}) self.assertEquals("""<form><p> <select name="foo" multiple="multiple"> <option value="1" selected="selected">1</option> <option value="2">2</option> <option value="3" selected="selected">3</option> </select> </p></form>""", html.render()) def test_fill_option_segmented_text(self): html = MarkupTemplate(u"""<form> <select name="foo"> <option value="1">foo $x</option> </select> </form>""").generate(x=1) | HTMLFormFiller(data={'foo': '1'}) self.assertEquals(u"""<form> <select name="foo"> <option value="1" selected="selected">foo 1</option> </select> </form>""", html.render()) def test_fill_option_segmented_text_no_value(self): html = MarkupTemplate("""<form> <select name="foo"> <option>foo $x bar</option> </select> </form>""").generate(x=1) | HTMLFormFiller(data={'foo': 'foo 1 bar'}) self.assertEquals("""<form> <select name="foo"> <option selected="selected">foo 1 bar</option> </select> </form>""", html.render()) def test_fill_option_unicode_value(self): html = HTML(u"""<form> <select name="foo"> <option value="ö">foo</option> </select> </form>""") | HTMLFormFiller(data={'foo': u'ö'}) self.assertEquals(u"""<form> <select name="foo"> <option value="ö" selected="selected">foo</option> </select> </form>""", html.render(encoding=None)) def test_fill_input_password_disabled(self): html = HTML(u"""<form><p> <input type="password" name="pass" /> </p></form>""") | HTMLFormFiller(data={'pass': 'bar'}) self.assertEquals("""<form><p> <input type="password" name="pass"/> </p></form>""", html.render()) def test_fill_input_password_enabled(self): html = HTML(u"""<form><p> <input type="password" name="pass" /> </p></form>""") | HTMLFormFiller(data={'pass': '1234'}, passwords=True) self.assertEquals("""<form><p> <input type="password" name="pass" value="1234"/> </p></form>""", html.render()) def StyleSanitizer(): safe_attrs = HTMLSanitizer.SAFE_ATTRS | frozenset(['style']) return HTMLSanitizer(safe_attrs=safe_attrs) class HTMLSanitizerTestCase(unittest.TestCase): def assert_parse_error_or_equal(self, expected, exploit, allow_strip=False): try: html = HTML(exploit) except ParseError: return sanitized_html = (html | HTMLSanitizer()).render() if not sanitized_html and allow_strip: return self.assertEquals(expected, sanitized_html) def test_sanitize_unchanged(self): html = HTML(u'<a href="#">fo<br />o</a>') self.assertEquals('<a href="#">fo<br/>o</a>', (html | HTMLSanitizer()).render()) html = HTML(u'<a href="#with:colon">foo</a>') self.assertEquals('<a href="#with:colon">foo</a>', (html | HTMLSanitizer()).render()) def test_sanitize_escape_text(self): html = HTML(u'<a href="#">fo&</a>') self.assertEquals('<a href="#">fo&</a>', (html | HTMLSanitizer()).render()) html = HTML(u'<a href="#"><foo></a>') self.assertEquals('<a href="#"><foo></a>', (html | HTMLSanitizer()).render()) def test_sanitize_entityref_text(self): html = HTML(u'<a href="#">foö</a>') self.assertEquals(u'<a href="#">foö</a>', (html | HTMLSanitizer()).render(encoding=None)) def test_sanitize_escape_attr(self): html = HTML(u'<div title="<foo>"></div>') self.assertEquals('<div title="<foo>"/>', (html | HTMLSanitizer()).render()) def test_sanitize_close_empty_tag(self): html = HTML(u'<a href="#">fo<br>o</a>') self.assertEquals('<a href="#">fo<br/>o</a>', (html | HTMLSanitizer()).render()) def test_sanitize_invalid_entity(self): html = HTML(u'&junk;') self.assertEquals('&junk;', (html | HTMLSanitizer()).render()) def test_sanitize_remove_script_elem(self): html = HTML(u'<script>alert("Foo")</script>') self.assertEquals('', (html | HTMLSanitizer()).render()) html = HTML(u'<SCRIPT SRC="http://example.com/"></SCRIPT>') self.assertEquals('', (html | HTMLSanitizer()).render()) src = u'<SCR\0IPT>alert("foo")</SCR\0IPT>' self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src, allow_strip=True) src = u'<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>' self.assert_parse_error_or_equal('<SCRIPT&XYZ; ' 'SRC="http://example.com/">', src, allow_strip=True) def test_sanitize_remove_onclick_attr(self): html = HTML(u'<div onclick=\'alert("foo")\' />') self.assertEquals('<div/>', (html | HTMLSanitizer()).render()) def test_sanitize_remove_input_password(self): html = HTML(u'<form><input type="password" /></form>') self.assertEquals('<form/>', (html | HTMLSanitizer()).render()) def test_sanitize_remove_comments(self): html = HTML(u'''<div><!-- conditional comment crap --></div>''') self.assertEquals('<div/>', (html | HTMLSanitizer()).render()) def test_sanitize_remove_style_scripts(self): sanitizer = StyleSanitizer() # Inline style with url() using javascript: scheme html = HTML(u'<DIV STYLE=\'background: url(javascript:alert("foo"))\'>') self.assertEquals('<div/>', (html | sanitizer).render()) # Inline style with url() using javascript: scheme, using control char html = HTML(u'<DIV STYLE=\'background: url(javascript:alert("foo"))\'>') self.assertEquals('<div/>', (html | sanitizer).render()) # Inline style with url() using javascript: scheme, in quotes html = HTML(u'<DIV STYLE=\'background: url("javascript:alert(foo)")\'>') self.assertEquals('<div/>', (html | sanitizer).render()) # IE expressions in CSS not allowed html = HTML(u'<DIV STYLE=\'width: expression(alert("foo"));\'>') self.assertEquals('<div/>', (html | sanitizer).render()) html = HTML(u'<DIV STYLE=\'width: e/**/xpression(alert("foo"));\'>') self.assertEquals('<div/>', (html | sanitizer).render()) html = HTML(u'<DIV STYLE=\'background: url(javascript:alert("foo"));' 'color: #fff\'>') self.assertEquals('<div style="color: #fff"/>', (html | sanitizer).render()) # Inline style with url() using javascript: scheme, using unicode # escapes html = HTML(u'<DIV STYLE=\'background: \\75rl(javascript:alert("foo"))\'>') self.assertEquals('<div/>', (html | sanitizer).render()) html = HTML(u'<DIV STYLE=\'background: \\000075rl(javascript:alert("foo"))\'>') self.assertEquals('<div/>', (html | sanitizer).render()) html = HTML(u'<DIV STYLE=\'background: \\75 rl(javascript:alert("foo"))\'>') self.assertEquals('<div/>', (html | sanitizer).render()) html = HTML(u'<DIV STYLE=\'background: \\000075 rl(javascript:alert("foo"))\'>') self.assertEquals('<div/>', (html | sanitizer).render()) html = HTML(u'<DIV STYLE=\'background: \\000075\r\nrl(javascript:alert("foo"))\'>') self.assertEquals('<div/>', (html | sanitizer).render()) def test_sanitize_remove_style_phishing(self): sanitizer = StyleSanitizer() # The position property is not allowed html = HTML(u'<div style="position:absolute;top:0"></div>') self.assertEquals('<div style="top:0"/>', (html | sanitizer).render()) # Normal margins get passed through html = HTML(u'<div style="margin:10px 20px"></div>') self.assertEquals('<div style="margin:10px 20px"/>', (html | sanitizer).render()) # But not negative margins html = HTML(u'<div style="margin:-1000px 0 0"></div>') self.assertEquals('<div/>', (html | sanitizer).render()) html = HTML(u'<div style="margin-left:-2000px 0 0"></div>') self.assertEquals('<div/>', (html | sanitizer).render()) html = HTML(u'<div style="margin-left:1em 1em 1em -4000px"></div>') self.assertEquals('<div/>', (html | sanitizer).render()) def test_sanitize_remove_src_javascript(self): html = HTML(u'<img src=\'javascript:alert("foo")\'>') self.assertEquals('<img/>', (html | HTMLSanitizer()).render()) # Case-insensitive protocol matching html = HTML(u'<IMG SRC=\'JaVaScRiPt:alert("foo")\'>') self.assertEquals('<img/>', (html | HTMLSanitizer()).render()) # Grave accents (not parsed) src = u'<IMG SRC=`javascript:alert("RSnake says, \'foo\'")`>' self.assert_parse_error_or_equal('<img/>', src) # Protocol encoded using UTF-8 numeric entities html = HTML(u'<IMG SRC=\'javascri' 'pt:alert("foo")\'>') self.assertEquals('<img/>', (html | HTMLSanitizer()).render()) # Protocol encoded using UTF-8 numeric entities without a semicolon # (which is allowed because the max number of digits is used) html = HTML(u'<IMG SRC=\'java' 'script' ':alert("foo")\'>') self.assertEquals('<img/>', (html | HTMLSanitizer()).render()) # Protocol encoded using UTF-8 numeric hex entities without a semicolon # (which is allowed because the max number of digits is used) html = HTML(u'<IMG SRC=\'javascri' 'pt:alert("foo")\'>') self.assertEquals('<img/>', (html | HTMLSanitizer()).render()) # Embedded tab character in protocol html = HTML(u'<IMG SRC=\'jav\tascript:alert("foo");\'>') self.assertEquals('<img/>', (html | HTMLSanitizer()).render()) # Embedded tab character in protocol, but encoded this time html = HTML(u'<IMG SRC=\'jav	ascript:alert("foo");\'>') self.assertEquals('<img/>', (html | HTMLSanitizer()).render()) def test_sanitize_expression(self): html = HTML(ur'<div style="top:expression(alert())">XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) def test_capital_expression(self): html = HTML(ur'<div style="top:EXPRESSION(alert())">XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) def test_sanitize_url_with_javascript(self): html = HTML(u'<div style="background-image:url(javascript:alert())">' u'XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) def test_sanitize_capital_url_with_javascript(self): html = HTML(u'<div style="background-image:URL(javascript:alert())">' u'XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) def test_sanitize_unicode_escapes(self): html = HTML(ur'<div style="top:exp\72 ess\000069 on(alert())">' ur'XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) def test_sanitize_backslash_without_hex(self): html = HTML(ur'<div style="top:e\xp\ression(alert())">XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) html = HTML(ur'<div style="top:e\\xp\\ression(alert())">XSS</div>') self.assertEqual(r'<div style="top:e\\xp\\ression(alert())">' 'XSS</div>', unicode(html | StyleSanitizer())) def test_sanitize_unsafe_props(self): html = HTML(u'<div style="POSITION:RELATIVE">XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) html = HTML(u'<div style="behavior:url(test.htc)">XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) html = HTML(u'<div style="-ms-behavior:url(test.htc) url(#obj)">' u'XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) html = HTML(u"""<div style="-o-link:'javascript:alert(1)';""" u"""-o-link-source:current">XSS</div>""") self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) html = HTML(u"""<div style="-moz-binding:url(xss.xbl)">XSS</div>""") self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) def test_sanitize_negative_margin(self): html = HTML(u'<div style="margin-top:-9999px">XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) html = HTML(u'<div style="margin:0 -9999px">XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) def test_sanitize_css_hack(self): html = HTML(u'<div style="*position:static">XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) html = HTML(u'<div style="_margin:-10px">XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) def test_sanitize_property_name(self): html = HTML(u'<div style="display:none;border-left-color:red;' u'user_defined:1;-moz-user-selct:-moz-all">prop</div>') self.assertEqual('<div style="display:none; border-left-color:red' '">prop</div>', unicode(html | StyleSanitizer())) def test_sanitize_unicode_expression(self): # Fullwidth small letters html = HTML(u'<div style="top:expression(alert())">' u'XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) # Fullwidth capital letters html = HTML(u'<div style="top:EXPRESSION(alert())">' u'XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) # IPA extensions html = HTML(u'<div style="top:expʀessɪoɴ(alert())">' u'XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) def test_sanitize_unicode_url(self): # IPA extensions html = HTML(u'<div style="background-image:uʀʟ(javascript:alert())">' u'XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | StyleSanitizer())) def suite(): suite = unittest.TestSuite() suite.addTest(doctest.DocTestSuite(HTMLFormFiller.__module__)) suite.addTest(unittest.makeSuite(HTMLFormFillerTestCase, 'test')) suite.addTest(unittest.makeSuite(HTMLSanitizerTestCase, 'test')) return suite if __name__ == '__main__': unittest.main(defaultTest='suite')