def test_clean_html_unsupported_css(self):
email = {"display_images": True, "eid": "abc"}
with mock.patch("inboxen.utils.email.messages") as msg_mock:
returned_body = email_utils._clean_html_body(
None, email, UNSUPPORTED_CSS_BODY, "ascii")
self.assertEqual(msg_mock.info.call_count, 1)
self.assertIsInstance(returned_body, six.text_type)
def test_clean_html_balance_tags_when_closing_tag_missing(self):
email = {"display_images": True, "eid": "abc"}
expected_html = """<a href="/click/?url=https%3A//example.com" target="_blank" rel="noreferrer"></a>"""
# unbalanced tags should be given a closing tag
returned_body = email_utils._clean_html_body(None, email, LONELY_ANCHOR_TAG, "ascii")
self.assertEqual(returned_body, expected_html)
def test_clean_html_no_strip_closing_tags_when_empty(self):
email = {"display_images": True, "eid": "abc"}
expected_html = """<a href="/click/?url=https%3A//example.com" target="_blank" rel="noreferrer"></a>"""
# empty tags should not have their closing tag removed
returned_body = email_utils._clean_html_body(None, email, EMPTY_ANCHOR_TAG, "ascii")
self.assertEqual(returned_body, expected_html)
def test_clean_html_balance_tags_when_closing_tag_missing(self):
email = {"display_images": True, "eid": "abc"}
expected_html = """<a href="/click/?url=https%3A//example.com" target="_blank" rel="noreferrer"></a>"""
# unbalanced tags should be given a closing tag
returned_body = email_utils._clean_html_body(None, email, LONELY_ANCHOR_TAG, "ascii")
self.assertEqual(returned_body, expected_html)
def test_clean_html_no_strip_closing_tags_when_empty(self):
email = {"display_images": True, "eid": "abc"}
expected_html = """<a href="/click/?url=https%3A//example.com" target="_blank" rel="noreferrer"></a>"""
# empty tags should not have their closing tag removed
returned_body = email_utils._clean_html_body(None, email, EMPTY_ANCHOR_TAG, "ascii")
self.assertEqual(returned_body, expected_html)
def test_sneaky_js(self):
# this test explicitly tests against CVE-2020-27783 using the same test data as LXML
email = {"display_images": True, "eid": "abc"}
expected_html = "<div></div>"
text = '<math><style><img src=x onerror=alert(1)></style></math>'
returned_body = email_utils._clean_html_body(None, email, text,
"ascii")
self.assertEqual(returned_body, expected_html)
def test_clean_html_no_body(self):
email = {"display_images": True}
with mock.patch(
"inboxen.utils.email.messages.info",
side_effect=self.failureException("Unexpected message")):
returned_body = email_utils._clean_html_body(
None, email, BODILESS_BODY, "utf-8")
self.assertIn(
'<a href="/click/?url=http%3A//tinyletter.com/asym/confirm%3Fid%3Duuid"',
returned_body)
def test_unknown_tag_get_dropped(self):
email = {"display_images": True, "eid": "abc"}
expected_html = (
"""<div><div><a href="/click/?url=https%3A//example.com" target="_blank" """
"""rel="noreferrer"></a></div></div>""")
text = """<html><body><details style="hi">{}</section></body></html>""".format(
EMPTY_ANCHOR_TAG)
returned_body = email_utils._clean_html_body(None, email, text,
"ascii")
self.assertEqual(returned_body, expected_html)
def test_clean_html_no_charset(self):
email = {"display_images": True}
returned_body = email_utils._clean_html_body(None, email,
CHARSETLESS_BODY, "ascii")
self.assertIsInstance(returned_body, six.text_type)
def test_clean_html_unsupported_css(self):
email = {"display_images": True, "eid": "abc"}
with mock.patch("inboxen.utils.email.messages") as msg_mock:
returned_body = email_utils._clean_html_body(None, email, UNSUPPORTED_CSS_BODY, "ascii")
self.assertEqual(msg_mock.info.call_count, 1)
self.assertIsInstance(returned_body, str)
def test_clean_html_no_charset(self):
email = {"display_images": True}
returned_body = email_utils._clean_html_body(None, email, CHARSETLESS_BODY, "ascii")
self.assertIsInstance(returned_body, str)
def test_clean_html_no_body(self):
email = {"display_images": True}
with mock.patch("inboxen.utils.email.messages.info", side_effect=self.failureException("Unexpected message")):
returned_body = email_utils._clean_html_body(None, email, BODILESS_BODY, "utf-8")
self.assertIn('<a href="/click/?url=http%3A//tinyletter.com/asym/confirm%3Fid%3Duuid"', returned_body)