python-Genshi/python-Genshi-0.7-sanitizer-test-fixes.patch

44 lines
2.1 KiB
Diff

------------------------------------------------------------------------
r1246 | hodgestar | 2014-02-16 19:25:17 +0100 (So, 16. Feb 2014) | 1 Zeile
Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz).
------------------------------------------------------------------------
Index: genshi/filters/tests/test_html.py
===================================================================
--- genshi/filters/tests/test_html.py (Revision 1245)
+++ genshi/filters/tests/test_html.py (Revision 1246)
@@ -368,12 +368,16 @@
class HTMLSanitizerTestCase(unittest.TestCase):
- def assert_parse_error_or_equal(self, expected, exploit):
+ def assert_parse_error_or_equal(self, expected, exploit,
+ allow_strip=False):
try:
html = HTML(exploit)
except ParseError:
return
- self.assertEquals(expected, (html | HTMLSanitizer()).render())
+ sanitized_html = (html | HTMLSanitizer()).render()
+ if not sanitized_html and allow_strip:
+ return
+ self.assertEquals(expected, sanitized_html)
def test_sanitize_unchanged(self):
html = HTML(u'<a href="#">fo<br />o</a>')
@@ -416,10 +420,12 @@
html = HTML(u'<SCRIPT SRC="http://example.com/"></SCRIPT>')
self.assertEquals('', (html | HTMLSanitizer()).render())
src = u'<SCR\0IPT>alert("foo")</SCR\0IPT>'
- self.assert_parse_error_or_equal('&lt;SCR\x00IPT&gt;alert("foo")', src)
+ self.assert_parse_error_or_equal('&lt;SCR\x00IPT&gt;alert("foo")', src,
+ allow_strip=True)
src = u'<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>'
self.assert_parse_error_or_equal('&lt;SCRIPT&amp;XYZ; '
- 'SRC="http://example.com/"&gt;', src)
+ 'SRC="http://example.com/"&gt;', src,
+ allow_strip=True)
def test_sanitize_remove_onclick_attr(self):
html = HTML(u'<div onclick=\'alert("foo")\' />')