def test_edit_taintedstring(self): from AccessControl.tainted import TaintedString doc = self._makeOne() self.assertEqual(doc.read(), '') data = TaintedString('hello<br/>') doc.manage_edit(data, 'title') self.assertEqual(doc.read(), 'hello<br/>')
def test_newline_to_br_tainted(self): from DocumentTemplate import DT_Var text = '''\ <li>line one</li> <li>line two</li> ''' from AccessControl.tainted import TaintedString tainted = TaintedString(text) self.assertEqual( DT_Var.newline_to_br(tainted), '''\ <br /> <li>line one</li><br /> <li>line two</li><br /> ''')
def __call__(self, *args, **kw): tainted = 0 args = list(args) for i in range(len(args)): if isinstance(args[i], TaintedString): tainted = 1 args[i] = str(args[i]) for k, v in kw.items(): if isinstance(v, TaintedString): tainted = 1 kw[k] = str(v) args = tuple(args) retval = self._method(*args, **kw) if tainted and isinstance(retval, str) and '<' in retval: retval = TaintedString(retval) return retval
def test_raise_StandardErrorMessage_TaintedString_errorValue(self): from AccessControl.tainted import TaintedString class REQUEST(object): class RESPONSE(object): handle_errors = True item = self._makeOne() def _raise_during_standard_error_message(*args, **kw): raise ZeroDivisionError('testing') item.standard_error_message = _raise_during_standard_error_message try: item.raise_standardErrorMessage( error_type=OverflowError, error_value=TaintedString('<simple>'), REQUEST=REQUEST(), ) except: import sys self.assertEqual(sys.exc_info()[0], OverflowError) value = sys.exc_info()[1] self.assertFalse('<' in value.message)
def test_find_text_tainted(self): # Make sure ZopeFind can handle "Tainted" text for searches # Tainted strings are created when the publisher sees what appears # to be HTML code in the input, e.g. when you enter a HTML tag into # the Find tab form in "containing" from AccessControl.tainted import TaintedBytes from AccessControl.tainted import TaintedString findme = 'findme' self.base['doc1'] = DummyItem('doc1', text=findme) self.base['doc2'] = DummyItem('doc2', text=findme) tainted_string = TaintedString(findme) res = self.base.ZopeFind(self.base, obj_searchterm=tainted_string) self.assertEqual(len(res), 2) self.assertEqual(set([x[0] for x in res]), set(['doc1', 'doc2'])) tainted_bytes = TaintedBytes(six.b(findme)) res = self.base.ZopeFind(self.base, obj_searchterm=tainted_bytes) self.assertEqual(len(res), 2) self.assertEqual(set([x[0] for x in res]), set(['doc1', 'doc2']))
def render(self, md): args = self.args name = self.__name__ val = self.expr if val is None: if name in md: if 'url' in args: val = md.getitem(name, 0) val = val.absolute_url() else: val = md[name] else: if 'missing' in args: return args['missing'] else: raise KeyError(name) else: val = val.eval(md) if 'url' in args: val = val.absolute_url() __traceback_info__ = name, val, args if 'null' in args and not val and val != 0: # check for null (false but not zero, including None, [], '') return args['null'] # handle special formats defined using fmt= first if 'fmt' in args: _get = getattr(md, 'guarded_getattr', None) if _get is None: _get = getattr fmt = args['fmt'] if 'null' in args and not val and val != 0: try: if hasattr(val, fmt): val = _get(val, fmt)() elif fmt in special_formats: if fmt == 'html-quote' and \ isinstance(val, TaintedString): # TaintedStrings will be quoted by default, don't # double quote. pass else: val = special_formats[fmt](val, name, md) elif fmt == '': val = '' else: if isinstance(val, TaintedString): val = TaintedString(fmt % val) else: val = fmt % val except: t, v = sys.exc_type, sys.exc_value if hasattr(sys, 'exc_info'): t, v = sys.exc_info()[:2] if val is None or not str(val): return args['null'] raise t(v) else: # We duplicate the code here to avoid exception handler # which tends to screw up stack or leak if hasattr(val, fmt): val = _get(val, fmt)() elif fmt in special_formats: if (fmt == 'html-quote' and isinstance(val, TaintedString)): # TaintedStrings will be quoted by default, don't # double quote. pass else: val = special_formats[fmt](val, name, md) elif fmt == '': val = '' else: if isinstance(val, TaintedString): val = TaintedString(fmt % val) else: val = fmt % val # finally, pump it through the actual string format... fmt = self.fmt if fmt == 's': # Keep tainted strings as tainted strings here. if not isinstance(val, TaintedString): val = ustr(val) else: # Keep tainted strings as tainted strings here. wastainted = 0 if isinstance(val, TaintedString): wastainted = 1 val = ('%' + self.fmt) % (val, ) if wastainted and '<' in val: val = TaintedString(val) # next, look for upper, lower, etc for f in self.modifiers: if f.__name__ == 'html_quote' and isinstance(val, TaintedString): # TaintedStrings will be quoted by default, don't double quote. continue val = f(val) if 'size' in args: size = args['size'] try: size = int(size) except Exception: raise ValueError( 'a <code>size</code> attribute was used in a ' '<code>var</code> tag with a non-integer value.') if len(val) > size: val = val[:size] l = val.rfind(' ') if l > size / 2: val = val[:l + 1] if 'etc' in args: l = args['etc'] else: l = '...' val = val + l if isinstance(val, TaintedString): val = val.quoted() return val
def render(self, md): args=self.args have_arg=args.has_key name=self.__name__ val=self.expr if val is None: if md.has_key(name): if have_arg('url'): val=md.getitem(name,0) val=val.absolute_url() else: val = md[name] else: if have_arg('missing'): return args['missing'] else: raise KeyError, name else: val=val.eval(md) if have_arg('url'): val=val.absolute_url() __traceback_info__=name, val, args if have_arg('null') and not val and val != 0: # check for null (false but not zero, including None, [], '') return args['null'] # handle special formats defined using fmt= first if have_arg('fmt'): _get = getattr(md, 'guarded_getattr', None) if _get is None: _get = getattr fmt=args['fmt'] if have_arg('null') and not val and val != 0: try: if hasattr(val, fmt): val = _get(val, fmt)() elif special_formats.has_key(fmt): if fmt == 'html-quote' and \ isinstance(val, TaintedString): # TaintedStrings will be quoted by default, don't # double quote. pass else: val = special_formats[fmt](val, name, md) elif fmt=='': val='' else: if isinstance(val, TaintedString): val = TaintedString(fmt % val) else: val = fmt % val except: t, v= sys.exc_type, sys.exc_value if hasattr(sys, 'exc_info'): t, v = sys.exc_info()[:2] if val is None or not str(val): return args['null'] raise t, v else: # We duplicate the code here to avoid exception handler # which tends to screw up stack or leak if hasattr(val, fmt): val = _get(val, fmt)() elif special_formats.has_key(fmt): if fmt == 'html-quote' and \ isinstance(val, TaintedString): # TaintedStrings will be quoted by default, don't # double quote. pass else: val = special_formats[fmt](val, name, md) elif fmt=='': val='' else: if isinstance(val, TaintedString): val = TaintedString(fmt % val) else: val = fmt % val # finally, pump it through the actual string format... fmt=self.fmt if fmt=='s': # Keep tainted strings as tainted strings here. if not isinstance(val, TaintedString): val=ustr(val) else: # Keep tainted strings as tainted strings here. wastainted = 0 if isinstance(val, TaintedString): wastainted = 1 val = ('%'+self.fmt) % (val,) if wastainted and '<' in val: val = TaintedString(val) # next, look for upper, lower, etc for f in self.modifiers: if f.__name__ == 'html_quote' and isinstance(val, TaintedString): # TaintedStrings will be quoted by default, don't double quote. continue val=f(val) if have_arg('size'): size=args['size'] try: size=int(size) except: raise ValueError,( '''a <code>size</code> attribute was used in a <code>var</code> tag with a non-integer value.''') if len(val) > size: val=val[:size] l=val.rfind(' ') if l > size/2: val=val[:l+1] if have_arg('etc'): l=args['etc'] else: l='...' val=val+l if isinstance(val, TaintedString): val = val.quoted() return val