def second_pass_render(request, content):
"""
Split on the secret delimiter and generate the token list by passing
through text outside of phased blocks as single text tokens and tokenizing
text inside the phased blocks. This ensures that nothing outside of the
phased blocks is tokenized, thus eliminating the possibility of a template
code injection vulnerability.
"""
result = tokens = []
for index, bit in enumerate(content.split(settings.SECRET_DELIMITER)):
if index % 2:
tokens = Lexer(bit, None).tokenize()
else:
tokens.append(Token(TOKEN_TEXT, bit))
# restore the previos context including the CSRF token
context = RequestContext(request,
restore_csrf_token(request, unpickle_context(bit)))
# restore the loaded components (tags and filters)
parser = Parser(tokens)
unpickled_components = unpickle_components(bit) or []
for component in unpickled_components:
lib = import_library(component)
parser.add_library(lib)
# render the piece with the restored context
rendered = parser.parse().render(context)
if settings.SECRET_DELIMITER in rendered:
rendered = second_pass_render(request, rendered)
result.append(rendered)
return "".join(result)
def test_raises_template_syntaxerror(self):
self.assertRaises(TemplateSyntaxError, self.render, "{% host_url %}")
self.assertRaises(TemplateSyntaxError, self.render,
"{% host_url 'simple-direct' host %}")
self.assertRaises(TemplateSyntaxError, self.render,
"{% host_url 'simple-direct' as %}")
self.assertRaises(TemplateSyntaxError, self.render,
"{% host_url simple-direct %}")
self.assertRaises(TemplateSyntaxError, parse_params, 'host_url',
Parser(['']), "username=='johndoe'")
self.assertRaises(TemplateSyntaxError, parse_params, 'host_url',
Parser(['']), "\n='johndoe'")
def _render_html(self, template_string, context={}):
# :(
if DJANGO_VERSION > (1,2):
from django.template import import_library
tag_lib = import_library('beproud.django.commons.tests.test_tags')
else:
from django.template import get_library
tag_lib = get_library('beproud.django.commons.tests.test_tags')
lexer = Lexer(template_string, self._make_origin())
parser = Parser(lexer.tokenize())
parser.add_library(tag_lib)
nodelist = parser.parse()
return nodelist.render(Context(context))
def second_pass_render(request, content):
"""
Split on the secret delimiter and generate the token list by passing
through text outside of phased blocks as single text tokens and tokenizing
text inside the phased blocks. This ensures that nothing outside of the
phased blocks is tokenized, thus eliminating the possibility of a template
code injection vulnerability.
"""
result = tokens = []
for index, bit in enumerate(content.split(
settings.PHASED_SECRET_DELIMITER)):
if index % 2:
tokens = Lexer(bit, None).tokenize()
context = RequestContext(
request, restore_csrf_token(request, unpickle_context(bit)))
else:
tokens = [Token(TOKEN_TEXT, bit)]
context = None
rendered = Parser(tokens).parse().render(context)
if settings.PHASED_SECRET_DELIMITER in rendered:
rendered = second_pass_render(request, rendered)
result.append(rendered)
return "".join(result)
def test_renders_relative_esi(self):
context = create_context()
node = esi(Parser([]), create_token('esi "./blah/"'))
result = node.render(context)
expected_url = './blah/'
self.assertEquals(result, '<esi:include src="%s" />' % expected_url)
def test_get_members_tag_as_name(self):
"""This tests the get_taxonomy_members method which is directly called by
the get_members tag and so tests instantion of the TaxonomyMembers object.
It also tests to make sure the TaxonomyMembers' render() method works"""
parser = Parser(None)
token = Mock(spec=['split_contents'])
token.split_contents.return_value = ('get_members',
self.taxonomy_group.name,
self.taxonomy_item.name, 'as',
'somename')
from templatetags.taxonomy_tags import get_taxonomy_members
node = get_taxonomy_members(parser, token)
self.assertEqual(node.taxonomy_group, self.taxonomy_group.name)
self.assertEqual(node.taxonomy_item, self.taxonomy_item.name)
# It feels like this part below should be its own test
# but the above needs to be done to test it, so might as well
# just consider it all one test
c = Context()
node.render(c)
self.assertTrue(hasattr(c['somename'], '__iter__'))
self.assertEqual(c['somename'][0].pk, self.test_model.pk)
def test_renders_actual_code(self):
context = create_context()
view_name = create_view_name('hello_world')
node = esi(Parser([]), create_token('esi %s' % view_name))
result = node.render(context)
expected_url = reverse('hello_world')
self.assertEquals(result, '<esi:include src="%s" />' % expected_url)
def _render_html(self, template_string, context={}):
# :(
if DJANGO_VERSION > (1, 9):
from django.template.library import import_library
tag_lib = import_library('testapp.tags')
else: # DJANGO_VERSION > (1,7):
from django.template.base import import_library
tag_lib = import_library('testapp.tags')
if DJANGO_VERSION > (1, 9):
lexer = Lexer(template_string)
else:
lexer = Lexer(template_string, self._make_origin())
parser = Parser(lexer.tokenize())
parser.add_library(tag_lib)
nodelist = parser.parse()
return nodelist.render(Context(context))
def test_raises_template_syntaxerror(self):
self.assertRaises(TemplateSyntaxError, self.render,
"{% load hosts %}{% host_url %}")
self.assertRaises(TemplateSyntaxError, self.render,
"{% load hosts %}{% host_url simple-direct on %}")
self.assertRaises(TemplateSyntaxError, self.render,
"{% load hosts %}{% host_url simple-direct as %}")
self.assertRaises(TemplateSyntaxError, HostURLNode.parse_params,
Parser(['']), "username=='johndoe'")
def test_filter_args_count(self):
p = Parser("")
l = Library()
@l.filter
def no_arguments(value):
pass
@l.filter
def one_argument(value, arg):
pass
@l.filter
def one_opt_argument(value, arg=False):
pass
@l.filter
def two_arguments(value, arg, arg2):
pass
@l.filter
def two_one_opt_arg(value, arg, arg2=False):
pass
p.add_library(l)
for expr in (
'1|no_arguments:"1"',
'1|two_arguments',
'1|two_arguments:"1"',
'1|two_one_opt_arg',
):
with self.assertRaises(TemplateSyntaxError):
FilterExpression(expr, p)
for expr in (
# Correct number of arguments
'1|no_arguments',
'1|one_argument:"1"',
# One optional
'1|one_opt_argument',
'1|one_opt_argument:"1"',
# Not supplying all
'1|two_one_opt_arg:"1"',
):
FilterExpression(expr, p)
def test_filter_args_count(self):
p = Parser("")
l = Library()
@l.filter
def no_arguments(value):
pass
@l.filter
def one_argument(value, arg):
pass
@l.filter
def one_opt_argument(value, arg=False):
pass
@l.filter
def two_arguments(value, arg, arg2):
pass
@l.filter
def two_one_opt_arg(value, arg, arg2=False):
pass
p.add_library(l)
for expr in (
'1|no_arguments:"1"',
'1|two_arguments',
'1|two_arguments:"1"',
'1|two_one_opt_arg',
):
with self.assertRaises(TemplateSyntaxError):
FilterExpression(expr, p)
for expr in (
# Correct number of arguments
'1|no_arguments',
'1|one_argument:"1"',
# One optional
'1|one_opt_argument',
'1|one_opt_argument:"1"',
# Not supplying all
'1|two_one_opt_arg:"1"',
):
FilterExpression(expr, p)
def test_extracts_view_out_of_templatetag_call(self):
random_view_name = 'hello_world_%d' % random.randint(100, 200)
token = fudge.Fake()
token.expects('split_contents').returns(('esi', random_view_name))
fudge.clear_calls()
result = esi(Parser([]), token)
self.assertEquals(str(result.view_name), random_view_name)
fudge.verify()
def test_renders_kwargs(self):
context = create_context()
number = random.randint(100, 200)
view_name = create_view_name('hello_number')
token = create_token('esi %s number=%s' % (view_name, number))
node = esi(Parser([]), token)
result = node.render(context)
expected_url = reverse('hello_number', kwargs={'number': number})
self.assertEquals(result, '<esi:include src="%s" />' % expected_url)
def __init__(self, parser=None, context=None, output=None):
"""
The template REPL object has a single parser and context instance
that persist for the length of the shell session.
"""
super(TemplateREPL, self).__init__()
self.context = context or Context()
self.parser = parser or Parser([])
self.output = output or sys.stdout
self.completer = Completer(context=self.context, parser=self.parser)
def input_node_generator(prompt='>>> ', leading_tokens=None, input_source=raw_input, parser=None):
if parser is None:
parser = Parser([])
input = False
while not input:
input = input_source(prompt)
input = input + '\n'
tokens = Lexer(input, None).tokenize()
if leading_tokens:
tokens = leading_tokens + tokens
initial_tokens = deepcopy(tokens)
try:
parser.tokens = tokens
for node in parser.parse():
yield node
except TemplateSyntaxError, e:
if e.args[0].startswith('Unclosed tags'):
for node in input_node_generator('... ', initial_tokens, input_source, parser):
yield node
else:
raise
def __init__(self, nodelist, parent=None):
# prepend {{ block.super }} to meta tag
p = Parser('')
t = 'block.super'
fe = FilterExpression(t, p)
vn = VariableNode(fe)
# i don't even know
vn.source = (StringOrigin(UNKNOWN_SOURCE), ('a', {}))
nodelist.insert(0, vn)
# build block tag with block name "meta"
super(MetaNode, self).__init__("meta-cascade", nodelist, parent)
def test_get_members_tag_missing_arg(self):
parser = Parser(None)
token = Mock(spec=['split_contents'], name='Taxonomy Mock')
token.contents = 'get_members %s' % self.taxonomy_group.name
token.split_contents.return_value = ('get_members',
self.taxonomy_group.name,
self.taxonomy_item.name)
token.split_contents.side_effect = ValueError
from templatetags.taxonomy_tags import get_taxonomy_members
self.assertRaises(TemplateSyntaxError, get_taxonomy_members,
*[parser, token])
def test_filter_parsing(self):
c = {"article": {"section": "News"}}
p = Parser("")
def fe_test(s, val):
self.assertEqual(FilterExpression(s, p).resolve(c), val)
fe_test("article.section", "News")
fe_test("article.section|upper", "NEWS")
fe_test('"News"', "News")
fe_test("'News'", "News")
fe_test(r'"Some \"Good\" News"', 'Some "Good" News')
fe_test(r'"Some \"Good\" News"', 'Some "Good" News')
fe_test(r"'Some \'Bad\' News'", "Some 'Bad' News")
fe = FilterExpression(r'"Some \"Good\" News"', p)
self.assertEqual(fe.filters, [])
self.assertEqual(fe.var, 'Some "Good" News')
# Filtered variables should reject access of attributes beginning with
# underscores.
self.assertRaises(TemplateSyntaxError, FilterExpression, "article._hidden|upper", p)
def create_view_name(view_name):
if django_version < (1, 5, 0):
return view_name
else:
return FilterExpression('"%s"' % view_name, Parser([]))
