def test_html_safety(self):
"""
Check that we're handling HTML in a safe way
"""
html = markup_to_html('<p>Foo</em>', 'html')
self.assertEqual(html, '<p>Foo</p>')
html = markup_to_html('Foo<script>alert()</script>', 'html')
self.assertEqual(html, 'Fooalert()')
# some junky MSWord-like markup
html = markup_to_html('Foo<p class="home"><Span style="font-size: 500%">bar</Span></P>', 'html', restricted=True)
self.assertEqual(html, 'Foo<p>bar</p>')
html = markup_to_html('A <p> </p><table cellpadding="10"><tr><td colspan=4>B</td></tr></table>',
'html', restricted=True)
self.assertEqual(html, 'A <p> </p>B')
# unsafe if we ask for it
html = markup_to_html('Foo<script>alert()</script>', 'html', html_already_safe=True)
self.assertEqual(html, 'Foo<script>alert()</script>')
# PageVersions should be saved only with safe HTML
offering = CourseOffering.objects.get(slug=TEST_COURSE_SLUG)
memb = Member.objects.get(offering=offering, person__userid="ggbaker")
p = Page(offering=offering, label="Test")
p.save()
v1 = PageVersion(page=p, title="T1", wikitext='<em>Some</em> <script>HTML</script>', editor=memb)
v1.set_markup('html')
v1.save()
self.assertEqual(v1.wikitext, '<em>Some</em> HTML')
def html_content(self):
"Convert self.content to HTML"
return markup_to_html(self.content,
self.markup(),
offering=self.topic.offering,
html_already_safe=True,
restricted=True)
def to_html(self, fieldsubmission=None):
# before MarkupContentField, text_explanation held the contents; now text_explanation_0.
explanation = self.config.get('text_explanation_0',
self.config.get('text_explanation', ''))
markup = self.config.get('text_explanation_1', 'creole')
return mark_safe('<div class="explanation_block">%s</div>' %
(markup_to_html(explanation, markup)))
def test_github_markdown(self):
"""
Check that we're getting the Github markdown flavour.
"""
highlighted_code = markup_to_html('```python\ni=1\n```', 'markdown')
self.assertEqual(highlighted_code,
'<pre lang="python"><code>i=1\n</code></pre>')
def to_text(self, questionanswer):
# our "text" representation is the HTML of the response
text, markup, math = questionanswer.answer.get(
'data', FormattedAnswer.default_initial)
if text:
html = markup_to_html(text, markup, math=None, restricted=True)
return html
else:
return MISSING_ANSWER_HTML
def test_all_markup_langs(self):
"""
Make sure each markup option returns the same way.
"""
correct = '<p>Paragraph <strong>1</strong> \u2605\U0001F600</p>'
markup_samples = [
('creole', '''Paragraph **1** \u2605\U0001F600'''),
('markdown', '''Paragraph **1** \u2605\U0001F600'''),
('html', '''<p>Paragraph <strong>1</strong> \u2605\U0001F600'''),
('textile', '''Paragraph *1* \u2605\U0001F600'''),
]
for lang, markup in markup_samples:
result = markup_to_html(markup, lang)
self.assertIsInstance(result, SafeText)
self.assertEqual(result.strip(), correct)
result = markup_to_html('Paragraph <1> \u2605\U0001F600', 'plain')
self.assertIsInstance(result, SafeText)
self.assertEqual(result.strip(), '<p>Paragraph <1> \u2605\U0001F600</p>')
def test_html_safety(self):
"""
Check that we're handling HTML in a safe way
"""
html = markup_to_html('<p>Foo</em>', 'html')
self.assertEqual(html, '<p>Foo</p>')
html = markup_to_html('Foo<script>alert()</script>', 'html')
self.assertEqual(html, 'Fooalert()')
# some junky MSWord-like markup
html = markup_to_html(
'Foo<p class="home"><Span style="font-size: 500%">bar</Span></P>',
'html',
restricted=True)
self.assertEqual(html, 'Foo<p>bar</p>')
html = markup_to_html(
'A <p> </p><table cellpadding="10"><tr><td colspan=4>B</td></tr></table>',
'html',
restricted=True)
self.assertEqual(html, 'A <p> </p>B')
# unsafe if we ask for it
html = markup_to_html('Foo<script>alert()</script>',
'html',
html_already_safe=True)
self.assertEqual(html, 'Foo<script>alert()</script>')
# PageVersions should be saved only with safe HTML
offering = CourseOffering.objects.get(slug=TEST_COURSE_SLUG)
memb = Member.objects.get(offering=offering, person__userid="ggbaker")
p = Page(offering=offering, label="Test")
p.save()
v1 = PageVersion(page=p,
title="T1",
wikitext='<em>Some</em> <script>HTML</script>',
editor=memb)
v1.set_markup('html')
v1.save()
self.assertEqual(v1.wikitext, '<em>Some</em> HTML')
def test_all_markup_langs(self):
"""
Make sure each markup option returns the same way.
"""
correct = '<p>Paragraph <strong>1</strong> \u2605\U0001F600</p>'
markup_samples = [
('creole', '''Paragraph **1** \u2605\U0001F600'''),
('markdown', '''Paragraph **1** \u2605\U0001F600'''),
('html', '''<p>Paragraph <strong>1</strong> \u2605\U0001F600'''),
('textile', '''Paragraph *1* \u2605\U0001F600'''),
]
for lang, markup in markup_samples:
result = markup_to_html(markup, lang)
self.assertIsInstance(result, SafeText)
self.assertEqual(result.strip(), correct)
result = markup_to_html('Paragraph <1> \u2605\U0001F600', 'plain')
self.assertIsInstance(result, SafeText)
self.assertEqual(result.strip(),
'<p>Paragraph <1> \u2605\U0001F600</p>')
def html_offer_text(self):
"""
Return the HTML version of this offer's offer_text
Cached to save frequent conversion.
"""
key = self.html_cache_key()
html = cache.get(key)
if html:
return mark_safe(html)
else:
html = markup_to_html(self.offer_text(), 'creole')
cache.set(key, html, 24 * 3600) # expires on self.save() above
return html
def html_offer_text(self):
"""
Return the HTML version of this offer's offer_text
Cached to save frequent conversion.
"""
key = self.html_cache_key()
html = cache.get(key)
if html:
return mark_safe(html)
else:
html = markup_to_html(self.offer_text(), 'creole')
cache.set(key, html, 24*3600) # expires on self.save() above
return html
def html_contents(self, offering=None):
"""
Return the HTML version of this version's wikitext (with macros substituted if available)
offering argument only required if self.page isn't set: used when doing a speculative conversion of unsaved content.
Cached to save frequent conversion.
"""
key = self.html_cache_key()
html = cache.get(key)
if html:
return mark_safe(html)
else:
markup_content = self.substitute_macros(self.get_wikitext())
html = markup_to_html(markup_content, self.markup(), pageversion=self, html_already_safe=True)
cache.set(key, html, 24*3600) # expired if activities are changed (in signal below), or by saving a PageVersion in this offering
return mark_safe(html)
def content_xhtml(self):
"""
Render content field as XHTML.
"""
from courselib.markup import markup_to_html
return markup_to_html(self.content, self.markup, html_already_safe=False, restricted=True)
def html_content(self):
return markup_to_html(self.text, self.markup, restricted=False)
def review_html(self) -> SafeText:
text, markup, math = self.review
return markup_to_html(text, markup, math=math)
def question_html(self) -> SafeText:
text, markup, math = self.version.text
return markup_to_html(text, markup, math=math)
def marking_html(self) -> SafeText:
text, markup, math = self.marking
return markup_to_html(text, markup, math=math)
def honour_code_html(self) -> SafeText:
return markup_to_html(self.honour_code_text,
markuplang=self.honour_code_markup,
math=self.honour_code_math)
def html_content(self):
"Convert self.content to HTML"
return markup_to_html(self.content, self.markup(), offering=self.topic.offering, html_already_safe=True,
restricted=True)
def html_content(self):
return markup_to_html(self.content, self.markup, restricted=True)
def test_github_markdown(self):
"""
Check that we're getting the Github markdown flavour.
"""
highlighted_code = markup_to_html('```python\ni=1\n```', 'markdown')
self.assertEqual(highlighted_code, '<pre lang="python"><code>i=1\n</code></pre>')
def render(self, name, value, attrs=None, renderer=None):
return mark_safe('<div class="explanation_block">%s</div>' % (markup_to_html(self.explanation, self.markup)))
def to_html(self, fieldsubmission=None):
# before MarkupContentField, text_explanation held the contents; now text_explanation_0.
explanation = self.config.get('text_explanation_0', self.config.get('text_explanation', ''))
markup = self.config.get('text_explanation_1', 'creole')
return mark_safe('<div class="explanation_block">%s</div>' % (markup_to_html(explanation, markup)))
def render(self, name, value, attrs=None):
return mark_safe('<div class="explanation_block">%s</div>' % (markup_to_html(self.explanation, self.markup)))
def intro_html(self) -> SafeText:
return markup_to_html(self.intro,
markuplang=self.markup,
math=self.math)
def html_content(self):
return markup_to_html(self.text, self.markup, restricted=False)
def html_content(self):
return markup_to_html(self.content, self.markup, restricted=True)
