', - unicode(html.filter(HTMLSanitizer()))) + unicode(html | HTMLSanitizer())) def test_sanitize_close_empty_tag(self): html = HTML('fo
o') self.assertEquals(u'fo
o', - unicode(html.filter(HTMLSanitizer()))) + unicode(html | HTMLSanitizer())) def test_sanitize_invalid_entity(self): html = HTML('&junk;') - self.assertEquals('&junk;', unicode(html.filter(HTMLSanitizer()))) + self.assertEquals('&junk;', unicode(html | HTMLSanitizer())) def test_sanitize_remove_script_elem(self): html = HTML('') - self.assertEquals(u'', unicode(html.filter(HTMLSanitizer()))) + self.assertEquals(u'', unicode(html | HTMLSanitizer())) html = HTML('') - self.assertEquals(u'', unicode(html.filter(HTMLSanitizer()))) + self.assertEquals(u'', unicode(html | HTMLSanitizer())) self.assertRaises(ParseError, HTML, 'alert("foo")') self.assertRaises(ParseError, HTML, '') def test_sanitize_remove_onclick_attr(self): html = HTML('

') - self.assertEquals(u'

', unicode(html.filter(HTMLSanitizer()))) + self.assertEquals(u'

', unicode(html | HTMLSanitizer())) def test_sanitize_remove_style_scripts(self): # Inline style with url() using javascript: scheme html = HTML('

') - self.assertEquals(u'

', unicode(html.filter(HTMLSanitizer()))) + self.assertEquals(u'

', unicode(html | HTMLSanitizer())) # Inline style with url() using javascript: scheme, using control char html = HTML('

') - self.assertEquals(u'

', unicode(html.filter(HTMLSanitizer()))) + self.assertEquals(u'

', unicode(html | HTMLSanitizer())) # Inline style with url() using javascript: scheme, in quotes html = HTML('

') - self.assertEquals(u'

', unicode(html.filter(HTMLSanitizer()))) + self.assertEquals(u'

', unicode(html | HTMLSanitizer())) # IE expressions in CSS not allowed html = HTML('

') - self.assertEquals(u'

', unicode(html.filter(HTMLSanitizer()))) + self.assertEquals(u'

', unicode(html | HTMLSanitizer())) html = HTML('

') self.assertEquals(u'

', - unicode(html.filter(HTMLSanitizer()))) + unicode(html | HTMLSanitizer())) def test_sanitize_remove_src_javascript(self): html = HTML('

') - self.assertEquals(u'', unicode(html.filter(HTMLSanitizer()))) + self.assertEquals(u'', unicode(html | HTMLSanitizer())) # Case-insensitive protocol matching html = HTML('

') - self.assertEquals(u'', unicode(html.filter(HTMLSanitizer()))) + self.assertEquals(u'', unicode(html | HTMLSanitizer())) # Grave accents (not parsed) self.assertRaises(ParseError, HTML, '

') # Protocol encoded using UTF-8 numeric entities html = HTML('

') - self.assertEquals(u'', unicode(html.filter(HTMLSanitizer()))) + self.assertEquals(u'', unicode(html | HTMLSanitizer())) # Protocol encoded using UTF-8 numeric entities without a semicolon # (which is allowed because the max number of digits is used) html = HTML('

') - self.assertEquals(u'', unicode(html.filter(HTMLSanitizer()))) + self.assertEquals(u'', unicode(html | HTMLSanitizer())) # Protocol encoded using UTF-8 numeric hex entities without a semicolon # (which is allowed because the max number of digits is used) html = HTML('

') - self.assertEquals(u'', unicode(html.filter(HTMLSanitizer()))) + self.assertEquals(u'', unicode(html | HTMLSanitizer())) # Embedded tab character in protocol html = HTML('

') - self.assertEquals(u'', unicode(html.filter(HTMLSanitizer()))) + self.assertEquals(u'', unicode(html | HTMLSanitizer())) # Embedded tab character in protocol, but encoded this time html = HTML('

') - self.assertEquals(u'', unicode(html.filter(HTMLSanitizer()))) + self.assertEquals(u'', unicode(html | HTMLSanitizer())) def suite():