python-Genshi/python-Genshi-0.7-sanitizer-test-fixes.patch

------------------------------------------------------------------------
r1246 | hodgestar | 2014-02-16 19:25:17 +0100 (So, 16. Feb 2014) | 1 Zeile

Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
------------------------------------------------------------------------
Index: genshi/filters/tests/test_html.py
===================================================================
--- genshi/filters/tests/test_html.py	(Revision 1245)
+++ genshi/filters/tests/test_html.py	(Revision 1246)
@@ -368,12 +368,16 @@
 
 class HTMLSanitizerTestCase(unittest.TestCase):
 
-    def assert_parse_error_or_equal(self, expected, exploit):
+    def assert_parse_error_or_equal(self, expected, exploit,
+                                    allow_strip=False):
         try:
             html = HTML(exploit)
         except ParseError:
             return
-        self.assertEquals(expected, (html | HTMLSanitizer()).render())
+        sanitized_html = (html | HTMLSanitizer()).render()
+        if not sanitized_html and allow_strip:
+            return
+        self.assertEquals(expected, sanitized_html)
 
     def test_sanitize_unchanged(self):
         html = HTML(u'<a href="#">fo<br />o</a>')
@@ -416,10 +420,12 @@
         html = HTML(u'<SCRIPT SRC="http://example.com/"></SCRIPT>')
         self.assertEquals('', (html | HTMLSanitizer()).render())
         src = u'<SCR\0IPT>alert("foo")</SCR\0IPT>'
-        self.assert_parse_error_or_equal('&lt;SCR\x00IPT&gt;alert("foo")', src)
+        self.assert_parse_error_or_equal('&lt;SCR\x00IPT&gt;alert("foo")', src,
+                                         allow_strip=True)
         src = u'<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>'
         self.assert_parse_error_or_equal('&lt;SCRIPT&amp;XYZ; '
-                                         'SRC="http://example.com/"&gt;', src)
+                                         'SRC="http://example.com/"&gt;', src,
+                                         allow_strip=True)
 
     def test_sanitize_remove_onclick_attr(self):
         html = HTML(u'<div onclick=\'alert("foo")\' />')
Accepting request 486530 from home:alois:branches:devel:languages:python OBS-URL: https://build.opensuse.org/request/show/486530 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Genshi?expand=0&rev=11 2017-04-07 18:50:19 +02:00			`------------------------------------------------------------------------`
			`r1246 \| hodgestar \| 2014-02-16 19:25:17 +0100 (So, 16. Feb 2014) \| 1 Zeile`

			`Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).`
			`------------------------------------------------------------------------`
			`Index: genshi/filters/tests/test_html.py`
			`===================================================================`
			`--- genshi/filters/tests/test_html.py (Revision 1245)`
			`+++ genshi/filters/tests/test_html.py (Revision 1246)`
			`@@ -368,12 +368,16 @@`

			`class HTMLSanitizerTestCase(unittest.TestCase):`

			`- def assert_parse_error_or_equal(self, expected, exploit):`
			`+ def assert_parse_error_or_equal(self, expected, exploit,`
			`+ allow_strip=False):`
			`try:`
			`html = HTML(exploit)`
			`except ParseError:`
			`return`
			`- self.assertEquals(expected, (html \| HTMLSanitizer()).render())`
			`+ sanitized_html = (html \| HTMLSanitizer()).render()`
			`+ if not sanitized_html and allow_strip:`
			`+ return`
			`+ self.assertEquals(expected, sanitized_html)`

			`def test_sanitize_unchanged(self):`
			`html = HTML(u'<a href="#">fo<br />o</a>')`
			`@@ -416,10 +420,12 @@`
			`html = HTML(u'<SCRIPT SRC="http://example.com/"></SCRIPT>')`
			`self.assertEquals('', (html \| HTMLSanitizer()).render())`
			`src = u'<SCR\0IPT>alert("foo")</SCR\0IPT>'`
			`- self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src)`
			`+ self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src,`
			`+ allow_strip=True)`
			`src = u'<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>'`
			`self.assert_parse_error_or_equal('<SCRIPT&XYZ; '`
			`- 'SRC="http://example.com/">', src)`
			`+ 'SRC="http://example.com/">', src,`
			`+ allow_strip=True)`

			`def test_sanitize_remove_onclick_attr(self):`
			`html = HTML(u'<div onclick=\'alert("foo")\' />')`