def test_markdown_inside_p():
raw = '<p>*test*</p>'
html = sanitizeInput(raw).strip()
assert html == '<p>*test*</p>'
raw = '<p>\n\n*test*\n\n</p>'
html = sanitizeInput(raw)
assert 'em' in html
def test_markdown_inside_div():
raw = "<div>Howmst *this* work</div>"
html = sanitizeInput(raw).strip()
# one line block is not converted
assert html == "<div>Howmst *this* work</div>"
# must wrap markdown with 2 newlines for convert
raw = "<div>\n\nHowmst *this* work\n\n</div>"
html = sanitizeInput(raw).strip()
assert 'em' in html
def test_simple_mixed_input():
raw = '''# Chapter One
Lorem *ipsum*.
P<span>2</span>'''
html = sanitizeInput(raw).strip()
assert html == '''<h1>Chapter One</h1>\n<p>Lorem <em>ipsum</em>.</p>\n<p>P<span>2</span></p>'''
def test_markdown_inside_span():
raw = "<span>I *want* this to work</span>"
html = sanitizeInput(raw).strip()
assert html == "<p><span>I <em>want</em> this to work</span></p>"
def test_mixed_within_markdown():
raw = "*Emphasis <b>bold</b>*"
html = sanitizeInput(raw).strip()
assert html == '''<p><em>Emphasis <b>bold</b></em></p>'''
def test_image_xss():
raw = '''<IMG SRC="javascript:alert('XSS');">'''
html = sanitizeInput(raw)
assert 'javascript' not in html
def save(self, *args, **kwargs):
self.slug = slugify(self.chaptertitle)
self.chaptertext_html = sanitizeInput(self.chaptertext)
self.chaptersummary_html = sanitizeInput(self.chaptersummary)
super(Chapter, self).save(*args, **kwargs)
def test_strip_style():
raw = "<span style='color: black;'>test</span>"
html = sanitizeInput(raw)
assert 'color' not in html
def test_input_type_image():
raw = '''<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">'''
html = sanitizeInput(raw)
assert '<input' not in html.lower()
def test_embedded_tab():
raw = '''<IMG SRC="jav ascript:alert('XSS');">'''
html = sanitizeInput(raw)
assert 'src' not in html.lower()
def test_basic_xss():
raw = "<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>"
html = sanitizeInput(raw)
assert '<script' not in html.lower()
def test_malformed_img_tag():
raw = '''<IMG """><SCRIPT>alert("XSS")</SCRIPT>">'''
html = sanitizeInput(raw)
assert '<script' not in html.lower()
def test_a_tag_malformed():
raw = '''<a onmouseover="alert(document.cookie)">xxs link</a>'''
html = sanitizeInput(raw)
assert 'onmouseover' not in html
def test_image_function_literals():
raw = '''<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>'''
html = sanitizeInput(raw)
assert '<IMG' in html
def test_image_no_quotes():
raw = '''<IMG SRC=javascript:alert('xss')>'''
html = sanitizeInput(raw)
assert '<' in html
def test_block_multiline_xss():
raw = '''hello <a name="n"
href="javascript:alert('xss')">*you*</a>'''
html = sanitizeInput(raw)
assert 'javascript' not in html
def test_dont_strip_classes():
raw = "<span class='classy'>test</span>"
html = sanitizeInput(raw).strip()
# Sanitizer turns single quotes for attrs into double
assert html == '<p><span class="classy">test</span></p>'
def save(self, *args, **kwargs):
self.grouppage_html = sanitizeInput(self.grouppage)
super().save(*args, **kwargs)
def test_dont_strip_src_attr():
raw = "<img src='whatever'></img>"
html = sanitizeInput(raw)
assert 'src="whatever"' in html
def preprocess_preview(self, form, context):
context['preview_markup'] = sanitizeInput(
form.cleaned_data['chaptertext'])
def save(self, *args, **kwargs):
self.content_html = sanitizeInput(self.content)
super().save(*args, **kwargs)
def preprocess_preview(self, form, context):
content = form.cleaned_data['firstmessage']
context['preview_markup'] = sanitizeInput(content)
context['preview_title'] = form.cleaned_data['title']
