Mercurial > genshi > mirror
changeset 964:cadb6703ac18 stable-0.6.x
Merge r1187 from trunk (fix HTMLSanitizer tests for Python 2.7 -- see #501).
author | hodgestar |
---|---|
date | Sat, 29 Dec 2012 12:00:00 +0000 |
parents | ea40c6ff63da |
children | 7cd21f6e3a58 |
files | genshi/filters/tests/html.py |
diffstat | 1 files changed, 14 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/genshi/filters/tests/html.py +++ b/genshi/filters/tests/html.py @@ -330,6 +330,13 @@ class HTMLSanitizerTestCase(unittest.TestCase): + def assert_parse_error_or_equal(self, expected, exploit): + try: + html = HTML(exploit) + except ParseError: + return + self.assertEquals(expected, (html | HTMLSanitizer()).render()) + def test_sanitize_unchanged(self): html = HTML('<a href="#">fo<br />o</a>') self.assertEquals('<a href="#">fo<br/>o</a>', @@ -370,9 +377,11 @@ self.assertEquals('', (html | HTMLSanitizer()).render()) html = HTML('<SCRIPT SRC="http://example.com/"></SCRIPT>') self.assertEquals('', (html | HTMLSanitizer()).render()) - self.assertRaises(ParseError, HTML, '<SCR\0IPT>alert("foo")</SCR\0IPT>') - self.assertRaises(ParseError, HTML, - '<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>') + src = u'<SCR\0IPT>alert("foo")</SCR\0IPT>' + self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src) + src = u'<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>' + self.assert_parse_error_or_equal('<SCRIPT&XYZ; ' + 'SRC="http://example.com/">', src) def test_sanitize_remove_onclick_attr(self): html = HTML('<div onclick=\'alert("foo")\' />') @@ -443,8 +452,8 @@ html = HTML('<IMG SRC=\'JaVaScRiPt:alert("foo")\'>') self.assertEquals('<img/>', (html | HTMLSanitizer()).render()) # Grave accents (not parsed) - self.assertRaises(ParseError, HTML, - '<IMG SRC=`javascript:alert("RSnake says, \'foo\'")`>') + src = u'<IMG SRC=`javascript:alert("RSnake says, \'foo\'")`>' + self.assert_parse_error_or_equal('<img/>', src) # Protocol encoded using UTF-8 numeric entities html = HTML('<IMG SRC=\'javascri' 'pt:alert("foo")\'>')