def test_can_clean_list(self): self.assertEqual(clean_request_input( ['<img """><script>alert(\'hey\')</script>">', '<img """><script>alert(\'hey\')</script>">'] ), [ '<img """><script>alert('hey')</script>">', '<img """><script>alert('hey')</script>">' ])
def input(self, name, default=False, clean=True): """Get a specific input value. Arguments: name {string} -- Key of the input data Keyword Arguments: default {string} -- Default value if input does not exist (default: {False}) clean {bool} -- Whether or not the return value should be cleaned (default: {True}) Returns: string """ if '.' in name and isinstance( self.request_variables.get(name.split('.')[0]), dict): value = DictDot().dot(name, self.request_variables) if value: return value elif '.' in name: name = dot(name, "{1}[{.}]") return clean_request_input(self.request_variables.get(name, default), clean=clean)
def test_can_clean_dictionary(self): self.assertEqual( clean_request_input( {'key': '<img """><script>alert(\'hey\')</script>">'}), { 'key': '<img """><script>alert('hey')</script>">' })
def all(self, internal_variables=True, clean=True): """Get all the input data. Keyword Arguments: internal_variables {bool} -- Get the internal framework variables as well (default: {True}) clean {bool} -- Whether or not the return value should be cleaned (default: {True}) Returns: dict """ if not internal_variables: without_internals = {} for key, value in self.request_variables.items(): if not key.startswith('__'): without_internals.update({key: value}) return clean_request_input(without_internals, clean=clean) return clean_request_input(self.request_variables, clean=clean)
def test_can_clean_multiple_dictionary(self): assert clean_request_input({ "conta_corrente": { "ocultar": False, "visao_geral": True, "extrato": True } }) == { "conta_corrente": { "ocultar": False, "visao_geral": True, "extrato": True } }
def _set_standardized_request_variables(self, variables): """The input data is not perfect so we have to standardize it into a dictionary. Arguments: variables {string|dict} """ if isinstance(variables, str): variables = dict(parse_qsl(variables)) try: for name in variables.keys(): value = clean_request_input(self._get_standardized_value(variables[name])) self.request_variables[name.replace('[]', '')] = value except TypeError: self.request_variables = {}
def test_can_clean_string(self): self.assertEqual( clean_request_input('<img """><script>alert(\'hey\')</script>">'), '<img """><script>alert('hey')</script>">' )
def test_does_not_clean_field_storage_objects(self): fieldstorage = FieldStorageTest() self.assertEqual(clean_request_input(fieldstorage), fieldstorage)
def test_does_not_clean_bytes_objects_with_dicts(self): obj = {'x': b'test'} self.assertEqual(clean_request_input(obj), obj)
def test_does_not_clean_bytes_objects(self): obj = [b'test', b'test'] self.assertEqual(clean_request_input(obj), obj)
def test_does_not_clean_field_storage_objects(self): fieldstorage = FieldStorageTest() assert clean_request_input(fieldstorage) == fieldstorage