Mercurial > p > roundup > code
comparison test/test_templating.py @ 6104:a1fd9551d416
don't allow javascript URLs in markdown content
limit auto-linkification in markdown content to issue links to avoid interference with markdown link syntax
| author | Christof Meerwald <cmeerw@cmeerw.org> |
|---|---|
| date | Thu, 27 Feb 2020 21:18:56 +0000 |
| parents | af16c135fb98 |
| children | b108c9fc7aea |
comparison
equal
deleted
inserted
replaced
| 6103:af16c135fb98 | 6104:a1fd9551d416 |
|---|---|
| 419 self.assertEqual(input, '<input class="required" disabled="disabled" size="30" type="text"/>') | 419 self.assertEqual(input, '<input class="required" disabled="disabled" size="30" type="text"/>') |
| 420 | 420 |
| 421 # common markdown test cases | 421 # common markdown test cases |
| 422 class MarkdownTests: | 422 class MarkdownTests: |
| 423 def test_string_markdown(self): | 423 def test_string_markdown(self): |
| 424 p = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'A string http://localhost with cmeerw@example.com <br> *embedded* \u00df')) | 424 p = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'A string with <br> *embedded* \u00df')) |
| 425 self.assertEqual(p.markdown().strip(), u2s(u'<p>A string <a href="http://localhost">http://localhost</a> with <a href="mailto:cmeerw@example.com">cmeerw@example.com</a> <br> <em>embedded</em> \u00df</p>')) | 425 self.assertEqual(p.markdown().strip(), u2s(u'<p>A string with <br> <em>embedded</em> \u00df</p>')) |
| 426 | |
| 427 def test_string_markdown_link(self): | |
| 428 p = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'A link <http://localhost>')) | |
| 429 self.assertEqual(p.markdown().strip(), u2s(u'<p>A link <a href="http://localhost">http://localhost</a></p>')) | |
| 430 | |
| 431 def test_string_markdown_link(self): | |
| 432 # markdown2 and markdown | |
| 433 try: | |
| 434 import html | |
| 435 html_unescape = html.unescape | |
| 436 except AttributeError: | |
| 437 from HTMLParser import HTMLParser | |
| 438 html_unescape = HTMLParser().unescape | |
| 439 | |
| 440 p = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'A link <cmeerw@example.com>')) | |
| 441 self.assertEqual(html_unescape(p.markdown().strip()), u2s(u'<p>A link <a href="mailto:cmeerw@example.com">cmeerw@example.com</a></p>')) | |
| 442 | |
| 443 def test_string_markdown_javascript_link(self): | |
| 444 # make sure we don't get a "javascript:" link | |
| 445 p = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'<javascript:alert(1)>')) | |
| 446 self.assertTrue(p.markdown().find('href="javascript:') == -1) | |
| 447 | |
| 448 p = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'[link](javascript:alert(1))')) | |
| 449 self.assertTrue(p.markdown().find('href="javascript:') == -1) | |
| 426 | 450 |
| 427 def test_string_markdown_code_block(self): | 451 def test_string_markdown_code_block(self): |
| 428 p = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'embedded code block\n\n```\nline 1\nline 2\n```\n\nnew paragraph')) | 452 p = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'embedded code block\n\n```\nline 1\nline 2\n```\n\nnew paragraph')) |
| 429 self.assertEqual(p.markdown().strip().replace('\n\n', '\n'), u2s(u'<p>embedded code block</p>\n<pre><code>line 1\nline 2\n</code></pre>\n<p>new paragraph</p>')) | 453 self.assertEqual(p.markdown().strip().replace('\n\n', '\n'), u2s(u'<p>embedded code block</p>\n<pre><code>line 1\nline 2\n</code></pre>\n<p>new paragraph</p>')) |
| 430 | 454 |