def test_markdown_xss_inline_html(): xss_md = '\n'.join([ '> <a name="n"', '> href="javascript:alert(\'XSS: pwned!\')">link</a>' ]) rendered_html = MarkupRenderer.markdown(xss_md) assert 'href="javascript:alert(\'XSS: pwned!\')">' not in rendered_html
def test_markdown_inline_html(): xss_md = '\n'.join( ['> <a name="n"', '> href="https://rhodecode.com">link</a>']) rendered_html = MarkupRenderer.markdown(xss_md) assert '[HTML_REMOVED]link[HTML_REMOVED]' in rendered_html
def test_markdown_xss_link(): xss_md = "[link](javascript:alert('XSS: pwned!'))" rendered_html = MarkupRenderer.markdown(xss_md) assert 'href="javascript:alert(\'XSS: pwned!\')"' not in rendered_html