def test_autolink_filtering_with_nice_data(self):
for url in ('http://a', "https://b?x&y"):
actual = render('<%s>' % url)
expected = '<p><a href="{0}">{0}</a></p>\n'.format(escape_html(url))
ok(actual).diff(expected)
supplied = "<*****@*****.**>"
expected = '<p>%s</p>\n' % escape_html(supplied)
ok(render_escape(supplied)).diff(expected)
def test_autolink_rewriting(self):
for url in ('http://a', 'https://b?x&y'):
actual = render_rewrite('<%s>' % url)
expected = '<p><a href="%s">%s</a></p>\n'
expected %= (rewrite_url(url), escape_html(url))
ok(actual).diff(expected)
supplied = "<*****@*****.**>"
expected = '<p>%s</p>\n' % escape_html(supplied)
ok(render_escape(supplied)).diff(expected)
def test_html_escape(self):
supplied = 'Example <script>alert(1);</script>'
expected = '<p>%s</p>\n' % escape_html(supplied)
ok(render_escape(supplied)).diff(expected)
html = render_escape('<sc<script>ript>xss</sc</script>ript>')
ok(html).not_contains('<sc')
ok(html).not_contains('ript>')
supplied = '<span><a href="javascript:xss">foo</a></span>'
expected = '<p>%s</p>\n' % escape_html(supplied)
ok(render_escape(supplied)).diff(expected)
def test_link_filtering_with_naughty_data(self):
supplied = '[foo](javascript:xss)'
expected = '<p>%s</p>\n' % escape_html(supplied)
ok(render(supplied)).diff(expected)
html = render('[foo](unknown:bar)')
expected = '<p>%s</p>\n' % escape_html(supplied)
ok(render(supplied)).diff(expected)
html = render('[" xss><xss>]("><xss>)')
ok(html).not_contains('<xss>')
ok(html).not_contains('" xss')
html = render('[" xss><xss>](https:"><xss>)')
ok(html).not_contains('<xss>')
ok(html).not_contains('" xss')
def blockcode(self, text, lang):
try:
lexer = get_lexer_by_name(lang)
except ClassNotFound:
lexer = None
if lexer:
return highlight(text, lexer, html_formatter)
return "\n<pre><code>{}</code></pre>\n".format(
misaka.escape_html(text.strip()))
def blockcode(self, text, lang):
try:
lexer = get_lexer_by_name(lang, stripall=True)
except ClassNotFound:
lexer = None
if lexer:
formatter = HtmlFormatter()
return highlight(text, lexer, formatter)
return '\n<pre><code>{}</code></pre>\n'.format(
m.escape_html(text.strip()))
def blockcode(text, lang):
try:
lexer = get_lexer_by_name(lang, stripall=True)
except ClassNotFound:
lexer = None
if lexer:
formatter = HtmlFormatter(cssclass='hi')
return highlight(text, lexer, formatter)
code = escape_html(text.strip())
return f'<pre><code>{code}</code></pre>\n'
def raw_html(self, context):
return misaka.escape_html(context['text'])
def blockcode(self, context):
text = misaka.escape_html(context['text'])
return '\n<pre><code>{}</pre></code>'.format(text)
def save(self, *args, **kwargs):
self.message_html = misaka.escape_html(self.message)
super().save(*args, **kwargs)
def test_escape_html(self):
ok(escape_html('a&<>"\'/')) == 'a&<>"'/'
def test_escape_html_slash(self):
ok(escape_html('a&<>"\'/', True)) == 'a&<>"'/'
def link(self, content, url, title=''):
maybe_title = ' title="%s"' % escape_html(title) if title else ''
url = escape_html(url)
return f'<a href="{escape_html(url)}" target="_blank"{maybe_title}>{content}</a>'
