Mercurial > p > roundup > code

comparison test/test_cgi.py @ 4623:4f9c3858b671

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix another XSS with the ok- and error message, see issue2550724. We solve this differently from the proposals in the bug-report by not allowing *any* html-tags in ok/error messages anymore. Thanks to David Benjamin for the bug-report and to Ezio Melotti for several proposed fixes.
author Ralf Schlatterbeck <rsc@runtux.com>
date Mon, 14 May 2012 14:17:07 +0200
parents 6e3e4f24c753
children 21705126dafa
comparison
equal deleted inserted replaced
4622:9d5825bf0b2d 4623:4f9c3858b671
40 form.list.append(cgi.MiniFieldStorage(k, v)) 40 form.list.append(cgi.MiniFieldStorage(k, v))
41 return form 41 return form
42 42
43 cm = client.clean_message 43 cm = client.clean_message
44 class MessageTestCase(unittest.TestCase): 44 class MessageTestCase(unittest.TestCase):
45 # Note: We used to allow some html tags in error message. Now *only*
46 # newlines are allowed which are translated to <br />.
47 # All other tags are escaped.
45 def testCleanMessageOK(self): 48 def testCleanMessageOK(self):
46 self.assertEqual(cm('<br>x<br />'), '<br>x<br />') 49 self.assertEqual(cm('a\nb'), 'a<br />\nb')
47 self.assertEqual(cm('<i>x</i>'), '<i>x</i>') 50 self.assertEqual(cm('a\nb\nc\n'), 'a<br />\nb<br />\nc<br />\n')
48 self.assertEqual(cm('<b>x</b>'), '<b>x</b>')
49 self.assertEqual(cm('<a href="y">x</a>'),
50 '<a href="y">x</a>')
51 self.assertEqual(cm('<BR>x<BR />'), '<BR>x<BR />')
52 self.assertEqual(cm('<I>x</I>'), '<I>x</I>')
53 self.assertEqual(cm('<B>x</B>'), '<B>x</B>')
54 self.assertEqual(cm('<A HREF="y">x</A>'),
55 '<A HREF="y">x</A>')
56 51
57 def testCleanMessageBAD(self): 52 def testCleanMessageBAD(self):
58 self.assertEqual(cm('<script>x</script>'), 53 self.assertEqual(cm('<script>x</script>'),
59 '&lt;script&gt;x&lt;/script&gt;') 54 '&lt;script&gt;x&lt;/script&gt;')
60 self.assertEqual(cm('<iframe>x</iframe>'), 55 self.assertEqual(cm('<iframe>x</iframe>'),
61 '&lt;iframe&gt;x&lt;/iframe&gt;') 56 '&lt;iframe&gt;x&lt;/iframe&gt;')
57 self.assertEqual(cm('<<script >>alert(42);5<</script >>'),
58 '&lt;&lt;script &gt;&gt;alert(42);5&lt;&lt;/script &gt;&gt;')
59 self.assertEqual(cm('<a href="y">x</a>'),
60 '&lt;a href="y"&gt;x&lt;/a&gt;')
61 self.assertEqual(cm('<A HREF="y">x</A>'),
62 '&lt;A HREF="y"&gt;x&lt;/A&gt;')
63 self.assertEqual(cm('<br>x<br />'), '&lt;br&gt;x&lt;br /&gt;')
64 self.assertEqual(cm('<i>x</i>'), '&lt;i&gt;x&lt;/i&gt;')
65 self.assertEqual(cm('<b>x</b>'), '&lt;b&gt;x&lt;/b&gt;')
66 self.assertEqual(cm('<BR>x<BR />'), '&lt;BR&gt;x&lt;BR /&gt;')
67 self.assertEqual(cm('<I>x</I>'), '&lt;I&gt;x&lt;/I&gt;')
68 self.assertEqual(cm('<B>x</B>'), '&lt;B&gt;x&lt;/B&gt;')
62 69
63 class FormTestCase(unittest.TestCase): 70 class FormTestCase(unittest.TestCase):
64 def setUp(self): 71 def setUp(self):
65 self.dirname = '_test_cgi_form' 72 self.dirname = '_test_cgi_form'
66 # set up and open a tracker 73 # set up and open a tracker
Roundup Issue Tracker: http://roundup-tracker.org/