def pipeHandler(self, outputf, po4, xml_output): while True: each_line = po4.fromchild.readline() if not each_line: break; line = escape.escape(each_line) if xml_output: line = self.__fileHandlerXMLencoding(line) outputf.write(line)
def __fileHandler(self, outputf, inputf, xml_output): """ Output the content of the file identifier. """ for token in inputf: line = escape.escape(token) if xml_output: line = self.__fileHandlerXMLencoding(line) outputf.write(line)
def title(): escape_mode = request.args.get("escape", "") try: title = fetch_url_title(request.args["url"]) title = escape(title, escape_mode) return jsonify({"error": False, "title": title}) except Exception as e: return jsonify({ "error": True, "error_message": str(e), "error_cause": e.__class__.__name__ })
def __defaultTextHandler(self, outputf, name, value): if isinstance(value, types.dictType): attrs. value.keys() attrs.sort() for x in attrs: self.__XMLvalue(outputf, x , value[x]) elif isinstance(value, types.ListType): for(listname, listval) in value: self.__XMLvalue(outputf,listname,listval) elif isinstance(value, types.FileType): self.__FileHandler(outputf, value, xml_output = False) elif isinstance(value, popen2.Popen4): self.__PipeHandler(outputf, value, xml_output = False) else : outputf.write("%s: %s\n" % (name, escape.escape(str(val))))
def __XMLvalue(self, outputf, name, value): if isinstance(value, types.fileType): self.__XMLopenTag(outputf, name) self.__FileHandler(outputf, value, xml_output = True) self.__XMLclosetag(outputf, name) elif isinstance(value, popen2.Popen4): self.__XMLopenTag(outputf, name) self.__PipeHandler(outputf, value, xml_output = True) self.__XMLclosetag(outputf, name) elif isinstance(value, types.ListType): self.__XMLopenTag(outputf, name) for (listname, listval) in val: self.__XMLopenTag(outputf, listname, listval) self.__XMLclosetag(outputf, name) elif isinstance(value, types.DictType): self.__XMLopenTag(outputf, name) for ids in value: self.__XMLvalue(outputf, ids, value[ids]) self.__XMLclosetag(outputf, name) else: prefix = ' ' * self.__indentation outputf.write("%s<%s>%s</%s>\n" % (prefix, name escape.xml_encode(escape.escape(str(val)))), name))
def bfs(belt, choice_tree): """ Using Breadth-First Search, Iteratively explore solutions with Queue until shortest solution is found. Prune choice subtrees that result in a crash. """ visited, queue = set(), Queue() queue.eq(choice_tree) try: while queue: choice = queue.dq() if choice.data not in visited: visited.add(choice.data) choice.build_children() # Lazily build children result = escape(choice.data, belt) if result == True: return choice.data elif result == False: choice.prune() for child in choice.children: queue.eq(child) except AssertionError, error: print 'Choice tree was not able to find a solution.'
def flatten_tagattribute(attribute): value = flatten(attribute.value) return '%s="%s"' % (attribute.name, escape(value, quote=True))
def flatten_child(child): if type(child) == str: # escape htmlchars only in strings return escape(child, quote=False) else: return flatten(child)
def test_typed_content(self): """Test rendering and normalization of typed content by escapers.""" data = ( '<b> "foo%" O\'Reilly &bar;', content.SafeCSS('a[href =~ "//example.com"]#foo'), content.SafeHTML('Hello, <b>World</b> &tc!'), content.SafeHTMLAttr(' dir="ltr"'), content.SafeJS('c && alert("Hello, World!");'), content.SafeJSStr('Hello, World & O\'Reilly\\x21'), content.SafeURL('greeting=H%69&addressee=(World)'), ) # For each content sensitive escaper, see how it does on # each of the typed strings above. tests = ( ( '<style>{{.}} { color: blue }</style>', ( 'zSafehtmlz', # Allowed but not escaped. 'a[href =~ "//example.com"]#foo', 'zSafehtmlz', 'zSafehtmlz', 'zSafehtmlz', 'zSafehtmlz', 'zSafehtmlz', ), ), ( '<div style="{{.}}">', ( 'zSafehtmlz', # Allowed and HTML escaped. 'a[href =~ "//example.com"]#foo', 'zSafehtmlz', 'zSafehtmlz', 'zSafehtmlz', 'zSafehtmlz', 'zSafehtmlz', ), ), ( '{{.}}', ( '<b> "foo%" O'Reilly &bar;', 'a[href =~ "//example.com"]#foo', # Not escaped. 'Hello, <b>World</b> &tc!', ' dir="ltr"', 'c && alert("Hello, World!");', r'Hello, World & O'Reilly\x21', 'greeting=H%69&addressee=(World)', ), ), ( '<a{{.}}>', ( 'zSafehtmlz', 'zSafehtmlz', 'zSafehtmlz', # Allowed and HTML escaped. ' dir="ltr"', 'zSafehtmlz', 'zSafehtmlz', 'zSafehtmlz', ), ), ( '<a title={{.}}>', ( '"<b> "foo%" O'Reilly &bar;"', '"a[href =~ "//example.com"]#foo"', # Tags stripped, spaces escaped, entity not re-escaped. '"Hello, World &tc!"', '" dir="ltr""', '"c && alert("Hello, World!");"', r'"Hello, World & O'Reilly\x21"', '"greeting=H%69&addressee=(World)"', ), ), ( "<a title='{{.}}'>", ( '<b> "foo%" O'Reilly &bar;', 'a[href =~ "//example.com"]#foo', # Tags stripped, entity not re-escaped. 'Hello, World &tc!', ' dir="ltr"', 'c && alert("Hello, World!");', r'Hello, World & O'Reilly\x21', 'greeting=H%69&addressee=(World)', ), ), ( '<textarea>{{.}}</textarea>', ( '<b> "foo%" O'Reilly &bar;', 'a[href =~ "//example.com"]#foo', # Angle brackets escaped to prevent injection of close # tags, entity not re-escaped. 'Hello, <b>World</b> &tc!', ' dir="ltr"', 'c && alert("Hello, World!");', r'Hello, World & O'Reilly\x21', 'greeting=H%69&addressee=(World)', ), ), ( '<script>alert({{.}})</script>', ( '"\\x3cb\\x3e \\"foo%\\" O\'Reilly &bar;"', r'"a[href =~ \"//example.com\"]#foo"', r'"Hello, \x3cb\x3eWorld\x3c/b\x3e &tc!"', r'" dir=\"ltr\""', # Not escaped. 'c && alert("Hello, World!");', # Escape sequence not over-escaped. '"Hello, World \\x26 O\\x27Reilly\\x21"', '"greeting=H%69&addressee=(World)"', ), ), ( '<button onclick="alert({{.}})">', ( (r'"\x3cb\x3e \"foo%\"' r' O'Reilly &bar;"'), r'"a[href =~ \"//example.com\"]#foo"', r'"Hello, \x3cb\x3eWorld\x3c/b\x3e &amp;tc!"', r'" dir=\"ltr\""', # Not JS escaped but HTML escaped. r'c && alert("Hello, World!");', # Escape sequence not over-escaped. r'"Hello, World \x26 O\x27Reilly\x21"', r'"greeting=H%69&addressee=(World)"', ), ), ( '<script>alert("{{.}}")</script>', ( r'\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;', r'a[href \x3d~ \x22\/\/example.com\x22]#foo', r'Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!', r' dir\x3d\x22ltr\x22', r'c \x26\x26 alert(\x22Hello, World!\x22);', # Escape sequence not over-escaped. r'Hello, World \x26 O\x27Reilly\x21', r'greeting\x3dH%69\x26addressee\x3d(World)', ), ), ( '<button onclick=\'alert("{{.}}")\'>', ( r'\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;', r'a[href \x3d~ \x22\/\/example.com\x22]#foo', r'Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!', r' dir\x3d\x22ltr\x22', r'c \x26\x26 alert(\x22Hello, World!\x22);', # Escape sequence not over-escaped. r'Hello, World \x26 O\x27Reilly\x21', r'greeting\x3dH%69\x26addressee\x3d(World)', ), ), ( '<a href="?q={{.}}">', ( '%3cb%3e%20%22foo%25%22%20O%27Reilly%20%26bar%3b', 'a%5bhref%20%3d~%20%22%2f%2fexample.com%22%5d%23foo', 'Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21', '%20dir%3d%22ltr%22', 'c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b', 'Hello%2c%20World%20%26%20O%27Reilly%5cx21', # Quotes and parens are escaped but %69 is not over-escaped. # HTML escaping is done. 'greeting=H%69&addressee=%28World%29', ), ), ( "<style>body { background: url('?img={{.}}') }</style>", ( '%3cb%3e%20%22foo%25%22%20O%27Reilly%20%26bar%3b', 'a%5bhref%20%3d~%20%22%2f%2fexample.com%22%5d%23foo', 'Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21', '%20dir%3d%22ltr%22', 'c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b', 'Hello%2c%20World%20%26%20O%27Reilly%5cx21', # Quotes and parens are escaped but %69 is not over-escaped. # HTML escaping is not done. 'greeting=H%69&addressee=%28World%29', ), ), ) for tmpl_code, want_arr in tests: env = template.parse_templates('test', tmpl_code, 'main') escape.escape(env.templates, ('main',)) pre = tmpl_code.find('{{.}}') post = len(tmpl_code) - (pre + 5) for i in xrange(0, len(data)): datum, want = data[i], want_arr[i] rendered = env.with_data(datum).sexecute('main') # got is just the portion of the template that does # not correspond to a literal text node in the input template. got = rendered[pre:len(rendered)-post] self.assertEquals( want, got, '%s with %r\n\t%r\n!=\n\t%r' % ( tmpl_code, datum, want, got))
def test_escape_simple_case(): assert \ escape("Nothing to escape") == "Nothing to escape", \ "Should be 'Nothing to escape'"
def test_escape_backslashes(): assert \ escape(r"Several \backslashes\ to escape") == r"Several \\backslashes\\ to escape", \ r"Should be 'Several \\backslashes\\ to escape'"
def test_escape_backslash(): assert \ escape(r"Just a \ to escape") == r"Just a \\ to escape", \ r"Should be 'Just a \\ to escape'"
def test_escape_single_quotes(): assert \ escape("Several ' to 'escape'") == r"Several \' to \'escape\'", \ r"Should be 'Several \' to \'escape\'"
def test_escape_single_quote(): assert \ escape("Just a ' to escape") == r"Just a \' to escape", \ r"Should be 'Just a \' to escape'"
def _tmpls_from_stdin(): """Read template from stdin and dump the output to stdout.""" code = sys.stdin.read().decode('UTF-8') env = template.parse_templates('-', code, 'main') escape.escape(env.templates, ('main',)) print env.sexecute('main')