def test_it(self):
"""
Make sure some common XSS vectors are filtered
"""
test_cases = [
('<script>1', '<script>'),
('<a onclick="a">asdf</a>', 'onclick'),
("<IMG SRC=JaVaScRiPt:alert('XSS')>", 'XSS'),
('<div style="background: url("asdf");"></div>', 'url'),
('<a href="javascript:foo"></a>', 'javascript'),
('<link rel=stylesheet href=http://asdf>', '<link'),
('<meta HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(1);">',
'<meta'),
('<TABLE BACKGROUND="javascript:alert(1)">', 'javascript:'),
(r"<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\"></div>",
'background-image'),
('<p style="margin-left: expression(alert(1))">foo</p>',
'margin-left'),
('<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert(1);+ADw-/SCRIPT+AD4-',
'<meta'),
('<style>foo</style>', '<style'),
('<p style="-moz-binding: url("http://example.com")">asdf</p>',
'-moz-binding'),
('<!--<script></script>-->', '<script>'),
('<img """><script>alert("xss")</script>">', '<script'),
('<img src= onmouseover="alert(1)">', ' onmouseover'),
('<html xmlns:xss><?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"><xss:xss>ss</xss:xss></html>',
'<?import'),
('<!--[if gte IE 4]><script>alert(1);</script><![endif]-->',
'<script>'),
]
for html, must_not_occur in test_cases:
cleaned = CKEditorField().clean(html)
self.assertNotIn(must_not_occur, cleaned)
class HtmlForm(forms.ModelForm):
content = CKEditorField(label=_('Content'))
class EmailSuccessHandlerBaseForm(forms.ModelForm):
content = CKEditorField()
class HtmlForm(forms.ModelForm):
content = CKEditorField(required=False, label=_('Content'))