Mercurial > genshi > mirror
changeset 1020:6c1d10d2fc52 trunk
Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
author | hodgestar |
---|---|
date | Sun, 16 Feb 2014 18:25:17 +0000 |
parents | ad96321e4d2b |
children | 323d592690da |
files | genshi/filters/tests/test_html.py |
diffstat | 1 files changed, 10 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/genshi/filters/tests/test_html.py +++ b/genshi/filters/tests/test_html.py @@ -368,12 +368,16 @@ class HTMLSanitizerTestCase(unittest.TestCase): - def assert_parse_error_or_equal(self, expected, exploit): + def assert_parse_error_or_equal(self, expected, exploit, + allow_strip=False): try: html = HTML(exploit) except ParseError: return - self.assertEquals(expected, (html | HTMLSanitizer()).render()) + sanitized_html = (html | HTMLSanitizer()).render() + if not sanitized_html and allow_strip: + return + self.assertEquals(expected, sanitized_html) def test_sanitize_unchanged(self): html = HTML(u'<a href="#">fo<br />o</a>') @@ -416,10 +420,12 @@ html = HTML(u'<SCRIPT SRC="http://example.com/"></SCRIPT>') self.assertEquals('', (html | HTMLSanitizer()).render()) src = u'<SCR\0IPT>alert("foo")</SCR\0IPT>' - self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src) + self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src, + allow_strip=True) src = u'<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>' self.assert_parse_error_or_equal('<SCRIPT&XYZ; ' - 'SRC="http://example.com/">', src) + 'SRC="http://example.com/">', src, + allow_strip=True) def test_sanitize_remove_onclick_attr(self): html = HTML(u'<div onclick=\'alert("foo")\' />')