hodgestar@933: # -*- coding: utf-8 -*- hodgestar@933: # hodgestar@933: # Copyright (C) 2006-2009 Edgewall Software hodgestar@933: # All rights reserved. hodgestar@933: # hodgestar@933: # This software is licensed as described in the file COPYING, which hodgestar@933: # you should have received as part of this distribution. The terms hodgestar@933: # are also available at http://genshi.edgewall.org/wiki/License. hodgestar@933: # hodgestar@933: # This software consists of voluntary contributions made by many hodgestar@933: # individuals. For the exact contribution history, see the revision hodgestar@933: # history and logs, available at http://genshi.edgewall.org/log/. hodgestar@933: hodgestar@933: import doctest hodgestar@933: import unittest hodgestar@933: hodgestar@933: from genshi.input import HTML, ParseError hodgestar@933: from genshi.filters.html import HTMLFormFiller, HTMLSanitizer hodgestar@933: from genshi.template import MarkupTemplate hodgestar@933: hodgestar@933: class HTMLFormFillerTestCase(unittest.TestCase): hodgestar@933: hodgestar@933: def test_fill_input_text_no_value(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller() hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_input_text_single_value(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller(data={'foo': 'bar'}) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_input_text_multi_value(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller(data={'foo': ['bar']}) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_input_hidden_no_value(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller() hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_input_hidden_single_value(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller(data={'foo': 'bar'}) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_input_hidden_multi_value(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller(data={'foo': ['bar']}) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_textarea_no_value(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller() hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller(data={'foo': 'bar'}) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_textarea_multi_value(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller(data={'foo': ['bar']}) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_textarea_multiple(self): hodgestar@933: # Ensure that the subsequent textarea doesn't get the data from the hodgestar@933: # first hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933: hodgestar@933:

""") | HTMLFormFiller(data={'foo': 'Some text'}) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933: hodgestar@933: hodgestar@933:

""") | HTMLFormFiller(data={'foo': 'Some text'}) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_input_checkbox_single_value_auto_no_value(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller() hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_input_checkbox_single_value_auto(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", (html | HTMLFormFiller(data={'foo': ''})).render()) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", (html | HTMLFormFiller(data={'foo': 'on'})).render()) hodgestar@933: hodgestar@933: def test_fill_input_checkbox_single_value_defined(self): hodgestar@933: html = HTML("""

hodgestar@933: hodgestar@933:

""", encoding='ascii') hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", (html | HTMLFormFiller(data={'foo': '1'})).render()) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", (html | HTMLFormFiller(data={'foo': '2'})).render()) hodgestar@933: hodgestar@933: def test_fill_input_checkbox_multi_value_auto(self): hodgestar@933: html = HTML("""

hodgestar@933: hodgestar@933:

""", encoding='ascii') hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", (html | HTMLFormFiller(data={'foo': []})).render()) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", (html | HTMLFormFiller(data={'foo': ['on']})).render()) hodgestar@933: hodgestar@933: def test_fill_input_checkbox_multi_value_defined(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", (html | HTMLFormFiller(data={'foo': ['1']})).render()) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", (html | HTMLFormFiller(data={'foo': ['2']})).render()) hodgestar@933: hodgestar@933: def test_fill_input_radio_no_value(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller() hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_input_radio_single_value(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", (html | HTMLFormFiller(data={'foo': '1'})).render()) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", (html | HTMLFormFiller(data={'foo': '2'})).render()) hodgestar@933: hodgestar@933: def test_fill_input_radio_multi_value(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", (html | HTMLFormFiller(data={'foo': ['1']})).render()) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", (html | HTMLFormFiller(data={'foo': ['2']})).render()) hodgestar@933: hodgestar@933: def test_fill_input_radio_empty_string(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", (html | HTMLFormFiller(data={'foo': ''})).render()) hodgestar@933: hodgestar@933: def test_fill_input_radio_multi_empty_string(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", (html | HTMLFormFiller(data={'foo': ['']})).render()) hodgestar@933: hodgestar@933: def test_fill_select_no_value_auto(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller() hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_select_no_value_defined(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller() hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_select_single_value_auto(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller(data={'foo': '1'}) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_select_single_value_defined(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller(data={'foo': '1'}) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_select_multi_value_auto(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller(data={'foo': ['1', '3']}) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_select_multi_value_defined(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller(data={'foo': ['1', '3']}) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_option_segmented_text(self): hodgestar@933: html = MarkupTemplate(u"""
hodgestar@933: hodgestar@933:
""").generate(x=1) | HTMLFormFiller(data={'foo': '1'}) hodgestar@933: self.assertEquals(u"""
hodgestar@933: hodgestar@933:
""", html.render()) hodgestar@933: hodgestar@933: def test_fill_option_segmented_text_no_value(self): hodgestar@933: html = MarkupTemplate("""
hodgestar@933: hodgestar@933:
""").generate(x=1) | HTMLFormFiller(data={'foo': 'foo 1 bar'}) hodgestar@933: self.assertEquals("""
hodgestar@933: hodgestar@933:
""", html.render()) hodgestar@933: hodgestar@933: def test_fill_option_unicode_value(self): hodgestar@933: html = HTML(u"""
hodgestar@933: hodgestar@933:
""") | HTMLFormFiller(data={'foo': u'ö'}) hodgestar@933: self.assertEquals(u"""
hodgestar@933: hodgestar@933:
""", html.render(encoding=None)) hodgestar@933: hodgestar@933: def test_fill_input_password_disabled(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller(data={'pass': 'bar'}) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: def test_fill_input_password_enabled(self): hodgestar@933: html = HTML(u"""

hodgestar@933: hodgestar@933:

""") | HTMLFormFiller(data={'pass': '1234'}, passwords=True) hodgestar@933: self.assertEquals("""

hodgestar@933: hodgestar@933:

""", html.render()) hodgestar@933: hodgestar@933: hodgestar@949: def StyleSanitizer(): hodgestar@949: safe_attrs = HTMLSanitizer.SAFE_ATTRS | frozenset(['style']) hodgestar@949: return HTMLSanitizer(safe_attrs=safe_attrs) hodgestar@949: hodgestar@949: hodgestar@933: class HTMLSanitizerTestCase(unittest.TestCase): hodgestar@933: hodgestar@1020: def assert_parse_error_or_equal(self, expected, exploit, hodgestar@1020: allow_strip=False): hodgestar@963: try: hodgestar@963: html = HTML(exploit) hodgestar@963: except ParseError: hodgestar@963: return hodgestar@1020: sanitized_html = (html | HTMLSanitizer()).render() hodgestar@1020: if not sanitized_html and allow_strip: hodgestar@1020: return hodgestar@1020: self.assertEquals(expected, sanitized_html) hodgestar@963: hodgestar@933: def test_sanitize_unchanged(self): hodgestar@933: html = HTML(u'fo
o') hodgestar@933: self.assertEquals('fo
o', hodgestar@933: (html | HTMLSanitizer()).render()) hodgestar@933: html = HTML(u'foo') hodgestar@933: self.assertEquals('foo', hodgestar@933: (html | HTMLSanitizer()).render()) hodgestar@933: hodgestar@933: def test_sanitize_escape_text(self): hodgestar@933: html = HTML(u'fo&') hodgestar@933: self.assertEquals('fo&', hodgestar@933: (html | HTMLSanitizer()).render()) hodgestar@933: html = HTML(u'<foo>') hodgestar@933: self.assertEquals('<foo>', hodgestar@933: (html | HTMLSanitizer()).render()) hodgestar@933: hodgestar@933: def test_sanitize_entityref_text(self): hodgestar@933: html = HTML(u'foö') hodgestar@933: self.assertEquals(u'foö', hodgestar@933: (html | HTMLSanitizer()).render(encoding=None)) hodgestar@933: hodgestar@933: def test_sanitize_escape_attr(self): hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', hodgestar@933: (html | HTMLSanitizer()).render()) hodgestar@933: hodgestar@933: def test_sanitize_close_empty_tag(self): hodgestar@933: html = HTML(u'fo
o') hodgestar@933: self.assertEquals('fo
o', hodgestar@933: (html | HTMLSanitizer()).render()) hodgestar@933: hodgestar@933: def test_sanitize_invalid_entity(self): hodgestar@933: html = HTML(u'&junk;') hodgestar@933: self.assertEquals('&junk;', (html | HTMLSanitizer()).render()) hodgestar@933: hodgestar@933: def test_sanitize_remove_script_elem(self): hodgestar@933: html = HTML(u'') hodgestar@933: self.assertEquals('', (html | HTMLSanitizer()).render()) hodgestar@933: html = HTML(u'') hodgestar@933: self.assertEquals('', (html | HTMLSanitizer()).render()) hodgestar@963: src = u'alert("foo")' hodgestar@1020: self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src, hodgestar@1020: allow_strip=True) hodgestar@963: src = u'' hodgestar@963: self.assert_parse_error_or_equal('<SCRIPT&XYZ; ' hodgestar@1020: 'SRC="http://example.com/">', src, hodgestar@1020: allow_strip=True) hodgestar@933: hodgestar@933: def test_sanitize_remove_onclick_attr(self): hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | HTMLSanitizer()).render()) hodgestar@933: hodgestar@933: def test_sanitize_remove_input_password(self): hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | HTMLSanitizer()).render()) hodgestar@933: hodgestar@933: def test_sanitize_remove_comments(self): hodgestar@933: html = HTML(u'''
''') hodgestar@933: self.assertEquals('
', (html | HTMLSanitizer()).render()) hodgestar@933: hodgestar@933: def test_sanitize_remove_style_scripts(self): hodgestar@949: sanitizer = StyleSanitizer() hodgestar@933: # Inline style with url() using javascript: scheme hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | sanitizer).render()) hodgestar@933: # Inline style with url() using javascript: scheme, using control char hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | sanitizer).render()) hodgestar@933: # Inline style with url() using javascript: scheme, in quotes hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | sanitizer).render()) hodgestar@933: # IE expressions in CSS not allowed hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | sanitizer).render()) hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | sanitizer).render()) hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', hodgestar@933: (html | sanitizer).render()) hodgestar@933: # Inline style with url() using javascript: scheme, using unicode hodgestar@933: # escapes hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | sanitizer).render()) hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | sanitizer).render()) hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | sanitizer).render()) hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | sanitizer).render()) hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | sanitizer).render()) hodgestar@933: hodgestar@933: def test_sanitize_remove_style_phishing(self): hodgestar@949: sanitizer = StyleSanitizer() hodgestar@933: # The position property is not allowed hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | sanitizer).render()) hodgestar@933: # Normal margins get passed through hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', hodgestar@933: (html | sanitizer).render()) hodgestar@933: # But not negative margins hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | sanitizer).render()) hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | sanitizer).render()) hodgestar@933: html = HTML(u'
') hodgestar@933: self.assertEquals('
', (html | sanitizer).render()) hodgestar@933: hodgestar@933: def test_sanitize_remove_src_javascript(self): hodgestar@933: html = HTML(u'') hodgestar@933: self.assertEquals('', (html | HTMLSanitizer()).render()) hodgestar@933: # Case-insensitive protocol matching hodgestar@933: html = HTML(u'') hodgestar@933: self.assertEquals('', (html | HTMLSanitizer()).render()) hodgestar@933: # Grave accents (not parsed) hodgestar@963: src = u'' hodgestar@963: self.assert_parse_error_or_equal('', src) hodgestar@933: # Protocol encoded using UTF-8 numeric entities hodgestar@933: html = HTML(u'') hodgestar@933: self.assertEquals('', (html | HTMLSanitizer()).render()) hodgestar@933: # Protocol encoded using UTF-8 numeric entities without a semicolon hodgestar@933: # (which is allowed because the max number of digits is used) hodgestar@933: html = HTML(u'') hodgestar@933: self.assertEquals('', (html | HTMLSanitizer()).render()) hodgestar@933: # Protocol encoded using UTF-8 numeric hex entities without a semicolon hodgestar@933: # (which is allowed because the max number of digits is used) hodgestar@933: html = HTML(u'') hodgestar@933: self.assertEquals('', (html | HTMLSanitizer()).render()) hodgestar@933: # Embedded tab character in protocol hodgestar@933: html = HTML(u'') hodgestar@933: self.assertEquals('', (html | HTMLSanitizer()).render()) hodgestar@933: # Embedded tab character in protocol, but encoded this time hodgestar@933: html = HTML(u'') hodgestar@933: self.assertEquals('', (html | HTMLSanitizer()).render()) hodgestar@933: hodgestar@949: def test_sanitize_expression(self): hodgestar@949: html = HTML(ur'
XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: def test_capital_expression(self): hodgestar@949: html = HTML(ur'
XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: def test_sanitize_url_with_javascript(self): hodgestar@949: html = HTML(u'
' hodgestar@949: u'XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: def test_sanitize_capital_url_with_javascript(self): hodgestar@949: html = HTML(u'
' hodgestar@949: u'XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: def test_sanitize_unicode_escapes(self): hodgestar@949: html = HTML(ur'
' hodgestar@949: ur'XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: def test_sanitize_backslash_without_hex(self): hodgestar@949: html = HTML(ur'
XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: html = HTML(ur'
XSS
') hodgestar@949: self.assertEqual(r'
' hodgestar@949: 'XSS
', hodgestar@949: unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: def test_sanitize_unsafe_props(self): hodgestar@949: html = HTML(u'
XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: html = HTML(u'
XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: html = HTML(u'
' hodgestar@949: u'XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: html = HTML(u"""
XSS
""") hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: html = HTML(u"""
XSS
""") hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: def test_sanitize_negative_margin(self): hodgestar@949: html = HTML(u'
XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: html = HTML(u'
XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: def test_sanitize_css_hack(self): hodgestar@949: html = HTML(u'
XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: html = HTML(u'
XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: def test_sanitize_property_name(self): hodgestar@949: html = HTML(u'
prop
') hodgestar@949: self.assertEqual('
prop
', hodgestar@949: unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: def test_sanitize_unicode_expression(self): hodgestar@949: # Fullwidth small letters hodgestar@949: html = HTML(u'
' hodgestar@949: u'XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: # Fullwidth capital letters hodgestar@949: html = HTML(u'
' hodgestar@949: u'XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: # IPA extensions hodgestar@949: html = HTML(u'
' hodgestar@949: u'XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@949: def test_sanitize_unicode_url(self): hodgestar@949: # IPA extensions hodgestar@949: html = HTML(u'
' hodgestar@949: u'XSS
') hodgestar@949: self.assertEqual('
XSS
', unicode(html | StyleSanitizer())) hodgestar@949: hodgestar@933: hodgestar@933: def suite(): hodgestar@933: suite = unittest.TestSuite() hodgestar@933: suite.addTest(doctest.DocTestSuite(HTMLFormFiller.__module__)) hodgestar@933: suite.addTest(unittest.makeSuite(HTMLFormFillerTestCase, 'test')) hodgestar@933: suite.addTest(unittest.makeSuite(HTMLSanitizerTestCase, 'test')) hodgestar@933: return suite hodgestar@933: hodgestar@933: hodgestar@933: if __name__ == '__main__': hodgestar@933: unittest.main(defaultTest='suite')