Exemple #1
0
 def test_render_no_xss(self):
     from adhocracy.lib.text import render
     source = '<script>XSS</script><a></a>'
     result = render(source, substitutions=False)
     self.assertEquals(result[:3], '<p>')
     self.assertEquals(result[-4:], '</p>')
     core_result = result[3:-4]
     self.assertTrue(u'<' not in core_result)
Exemple #2
0
 def test_render_no_xss(self):
     from adhocracy.lib.text import render
     source = '<script>XSS</script><a></a>'
     result = render(source, substitutions=False)
     self.assertEquals(result[:3], '<p>')
     self.assertEquals(result[-4:], '</p>')
     core_result = result[3:-4]
     self.assertTrue(u'<' not in core_result)
Exemple #3
0
 def text(self):
     text = None
     try:
         if self.event:
             from adhocracy.lib.text import render
             text = self.event.text(self)
             text = render(text)
     except AttributeError, ae:
         log.exception("Creating event text", ae)
Exemple #4
0
 def test_render_no_xss_substitutions(self):
     from adhocracy.lib.text import render
     tt_make_user('<foo>')
     source = '@<foo>'
     result = render(source, substitutions=True)
     self.assertEquals(result[:3], '<p>')
     self.assertEquals(result[-4:], '</p>')
     core_result = result[3:-4]
     self.assertTrue(u'<' not in core_result)
Exemple #5
0
 def test_html_sanitizing(self):
     from adhocracy.lib.text import render
     result = render(SANITIZE_TEST_STRING, safe_mode='adhocracy_config',
                     _testing_allow_user_html=True)
     self.assertTrue('<script' not in result)
     self.assertTrue('<object' not in result)
     self.assertTrue('<embed' not in result)
     self.assertTrue('javascript' not in result)
     self.assertTrue('<iframe' in result)
Exemple #6
0
 def test_render_no_xss_substitutions(self):
     from adhocracy.lib.text import render
     tt_make_user('<foo>')
     source = '@<foo>'
     result = render(source, substitutions=True)
     self.assertEquals(result[:3], '<p>')
     self.assertEquals(result[-4:], '</p>')
     core_result = result[3:-4]
     self.assertTrue(u'<' not in core_result)
Exemple #7
0
 def test_html_sanitizing(self):
     from adhocracy.lib.text import render
     result = render(SANITIZE_TEST_STRING,
                     safe_mode='adhocracy_config',
                     _testing_allow_user_html=True)
     self.assertTrue('<script' not in result)
     self.assertTrue('<object' not in result)
     self.assertTrue('<embed' not in result)
     self.assertTrue('javascript' not in result)
     self.assertTrue('<iframe' in result)
Exemple #8
0
 def test_html_sanitizing(self):
     from adhocracy.lib.text import render
     source = '<h1>Hello</h1><script>XSS</script>' \
             '<object>include_dangerous</object>' \
             '<embed>include_dangerous</embed>' \
             '<a href="javascript:bar()" onclick="javascript: alert(\'foo\')">lala</a>' \
             '<iframe class="youtube-player" type="text/html" width="640" height="385"' \
             ' src="http://www.youtube.com/embed/foo" frameborder="0">' \
             '</iframe>'
     result = render(source, safe_mode='adhocracy_config', _testing_allow_user_html=True)
     self.assertTrue('<script' not in result)
     self.assertTrue('<object' not in result)
     self.assertTrue('<embed' not in result)
     self.assertTrue('javascript' not in result)
     self.assertTrue('<iframe' in result)
Exemple #9
0
 def test_render_user_substitution(self):
     from adhocracy.lib.text import render
     tt_make_user('pudo')
     source = '@pudo'
     result = render(source, substitutions=True)
     self.assertTrue(u'/user/pudo"' in result)
Exemple #10
0
 def test_render_no_substitution(self):
     from adhocracy.lib.text import render
     tt_make_user('pudo')
     source = '@pudo'
     result = render(source, substitutions=False)
     self.assertEqual(result, u'<p>@pudo</p>')
Exemple #11
0
 def test_render(self):
     from adhocracy.lib.text import render
     source = ('header\n'
               '========')
     result = render(source)
     self.assertEqual(result, u'<h1>header</h1>')
Exemple #12
0
 def description(self):
     if self.instance.description:
         return text.render(self.instance.description, escape=False)
     return ""
Exemple #13
0
 def render(self):
     from adhocracy.lib import text
     if self.page.function == self.page.NORM:
         return text.render_line_based(self)
     return text.render(self.text)
Exemple #14
0
 def text(self):
     if self.milestone.text:
         return text.render(self.milestone.text, escape=False)
     return ""
Exemple #15
0
 def test_render_markdown_vuln(self):
     from adhocracy.lib.text import render
     source = u'[XSS](javascript://%0Aalert%28\'XSS\'%29;)'
     result = render(source)
     self.assertTrue(u'javascript' not in result)
Exemple #16
0
 def test_render_user_substitution(self):
     from adhocracy.lib.text import render
     tt_make_user('pudo')
     source = '@pudo'
     result = render(source, substitutions=True)
     self.assertTrue(u'http://test.lan/user/pudo"' in result)
Exemple #17
0
 def test_render_no_substitution(self):
     from adhocracy.lib.text import render
     tt_make_user('pudo')
     source = '@pudo'
     result = render(source, substitutions=False)
     self.assertEqual(result, u'<p>@pudo</p>\n')
Exemple #18
0
 def text(self):
     if self.comment and self.comment.latest:
         return text.render(self.comment.latest.text)
     return ""
Exemple #19
0
 def _bio(self):
     if self.user.bio:
         return text.render(self.user.bio)
     return ""
Exemple #20
0
 def text(self):
     if self.milestone.text:
         return text.render(self.milestone.text,
                            safe_mode='adhocracy_config')
     return ""
Exemple #21
0
 def description(self):
     if self.instance.description:
         return text.render(self.instance.description, escape=False)
     return ""
Exemple #22
0
 def test_render_markdown_vuln(self):
     from adhocracy.lib.text import render
     source = u'[XSS](javascript://%0Aalert%28\'XSS\'%29;)'
     result = render(source)
     self.assertTrue(u'javascript' not in result)
Exemple #23
0
 def render(self, line_based=False):
     from adhocracy.lib import text
     if line_based:
         return text.render_line_based(self)
     else:
         return text.render(self.text)
Exemple #24
0
 def test_render(self):
     from adhocracy.lib.text import render
     source = ('header\n'
               '========')
     result = render(source)
     self.assertEqual(result, u'<h1>header</h1>\n')
Exemple #25
0
 def render(self, line_based=False):
     from adhocracy.lib import text
     if line_based:
         return text.render_line_based(self)
     else:
         return text.render(self.text)
Exemple #26
0
 def _bio(self):
     if self.user.bio:
         return text.render(self.user.bio)
     return ""
Exemple #27
0
 def text(self):
     if self.comment and self.comment.latest:
         return text.render(self.comment.latest.text)
     return ""
Exemple #28
0
 def description(self):
     if self.instance.description:
         return text.render(self.instance.description,
                            safe_mode='adhocracy_config')
     return ""
Exemple #29
0
    def test_usercontent(self):
        from adhocracy.lib.text import render

        r = render(u'[link](http://example.com/)')
        self.assertTrue(u'href="http://example' not in r)
Exemple #30
0
 def text(self):
     if self.milestone.text:
         return text.render(self.milestone.text,
                            safe_mode='adhocracy_config')
     return ""
Exemple #31
0
 def description(self):
     if self.instance.description:
         return text.render(self.instance.description,
                            safe_mode='adhocracy_config')
     return ""
Exemple #32
0
 def render(self):
     from adhocracy.lib import text
     if self.page.function == self.page.NORM:
         return text.render_line_based(self)
     return text.render(self.text)