def test_app_config_select_escaping(self):
class FakeAppConfig(object):
def __init__(self, pk, config):
self.pk = pk
self.config = config
def __str__(self):
return self.config
class FakeApp(object):
def __init__(self, name, configs=()):
self.name = name
self.configs = configs
def __str__(self):
return self.name
def get_configs(self):
return self.configs
def get_config_add_url(self):
return "/fake/url/"
GoodApp = FakeApp('GoodApp', [
FakeAppConfig(1, 'good-app-one-config'),
FakeAppConfig(2, 'good-app-two-config'),
])
BadApp = FakeApp('BadApp', [
FakeAppConfig(1, 'bad-app-one-config'),
FakeAppConfig(
2, 'bad-app-two-config<script>alert("bad-stuff");</script>'),
])
app_configs = {
GoodApp: GoodApp,
BadApp: BadApp,
}
app_config_select = ApplicationConfigSelect(app_configs=app_configs)
output = app_config_select.render('application_configurations', 1)
self.assertFalse('<script>alert("bad-stuff");</script>' in output)
self.assertTrue('\\u0026lt\\u003Bscript\\u0026gt\\u003Balert('
'\\u0026quot\\u003Bbad\\u002Dstuff\\u0026quot'
'\\u003B)\\u003B\\u0026lt\\u003B/script\\u0026gt'
'\\u003B' in output)
def test_app_config_select_escaping(self):
class FakeAppConfig(object):
def __init__(self, pk, config):
self.pk = pk
self.config = config
def __str__(self):
return self.config
class FakeApp(object):
def __init__(self, name, configs=()):
self.name = name
self.configs = configs
def __str__(self):
return self.name
def get_configs(self):
return self.configs
def get_config_add_url(self):
return "/fake/url/"
GoodApp = FakeApp('GoodApp', [
FakeAppConfig(1, 'good-app-one-config'),
FakeAppConfig(2, 'good-app-two-config'),
])
BadApp = FakeApp('BadApp', [
FakeAppConfig(1, 'bad-app-one-config'),
FakeAppConfig(2, 'bad-app-two-config<script>alert("bad-stuff");</script>'),
])
app_configs = {
GoodApp: GoodApp,
BadApp: BadApp,
}
app_config_select = ApplicationConfigSelect(app_configs=app_configs)
output = app_config_select.render('application_configurations', 1)
self.assertFalse('<script>alert("bad-stuff");</script>' in output)
self.assertTrue('\\u0026lt\\u003Bscript\\u0026gt\\u003Balert('
'\\u0026quot\\u003Bbad\\u002Dstuff\\u0026quot'
'\\u003B)\\u003B\\u0026lt\\u003B/script\\u0026gt'
'\\u003B' in output)
def __init__(self, *args, **kwargs):
super(AdvancedSettingsForm, self).__init__(*args, **kwargs)
self.title_obj = self.instance.get_title_obj(
language=self._language,
fallback=False,
force_reload=True,
)
if 'navigation_extenders' in self.fields:
navigation_extenders = self.get_navigation_extenders()
self.fields['navigation_extenders'].widget = forms.Select(
{}, [('', "---------")] + navigation_extenders)
if 'application_urls' in self.fields:
# Prepare a dict mapping the apps by class name ('PollApp') to
# their app_name attribute ('polls'), if any.
app_namespaces = {}
app_configs = {}
for hook in apphook_pool.get_apphooks():
app = apphook_pool.get_apphook(hook[0])
if app.app_name:
app_namespaces[hook[0]] = app.app_name
if app.app_config:
app_configs[hook[0]] = app
self.fields['application_urls'].widget = AppHookSelect(
attrs={'id': 'application_urls'},
app_namespaces=app_namespaces
)
self.fields['application_urls'].choices = [('', "---------")] + apphook_pool.get_apphooks()
page_data = self.data if self.data else self.initial
if app_configs:
self.fields['application_configs'].widget = ApplicationConfigSelect(
attrs={'id': 'application_configs'},
app_configs=app_configs,
)
if page_data.get('application_urls', False) and page_data['application_urls'] in app_configs:
configs = app_configs[page_data['application_urls']].get_configs()
self.fields['application_configs'].widget.choices = [(config.pk, force_text(config)) for config in configs]
try:
config = configs.get(namespace=self.initial['application_namespace'])
self.fields['application_configs'].initial = config.pk
except ObjectDoesNotExist:
# Provided apphook configuration doesn't exist (anymore),
# just skip it
# The user will choose another value anyway
pass
if 'redirect' in self.fields:
self.fields['redirect'].widget.language = self._language
self.fields['redirect'].initial = self.title_obj.redirect
if 'overwrite_url' in self.fields and self.title_obj.has_url_overwrite:
self.fields['overwrite_url'].initial = self.title_obj.path
def __init__(self, *args, **kwargs):
super(AdvancedSettingsForm, self).__init__(*args, **kwargs)
self.fields['language'].widget = HiddenInput()
self.fields['site'].widget = HiddenInput()
site_id = self.fields['site'].initial
languages = get_language_tuple(site_id)
self.fields['language'].choices = languages
if not self.fields['language'].initial:
self.fields['language'].initial = get_language()
if 'navigation_extenders' in self.fields:
navigation_extenders = self.get_navigation_extenders()
self.fields['navigation_extenders'].widget = forms.Select(
{}, [('', "---------")] + navigation_extenders)
if 'application_urls' in self.fields:
# Prepare a dict mapping the apps by class name ('PollApp') to
# their app_name attribute ('polls'), if any.
app_namespaces = {}
app_configs = {}
for hook in apphook_pool.get_apphooks():
app = apphook_pool.get_apphook(hook[0])
if app.app_name:
app_namespaces[hook[0]] = app.app_name
if app.app_config:
app_configs[hook[0]] = app
self.fields['application_urls'].widget = AppHookSelect(
attrs={'id': 'application_urls'},
app_namespaces=app_namespaces)
self.fields['application_urls'].choices = [
('', "---------")
] + apphook_pool.get_apphooks()
page_data = self.data if self.data else self.initial
if app_configs:
self.fields[
'application_configs'].widget = ApplicationConfigSelect(
attrs={'id': 'application_configs'},
app_configs=app_configs)
if page_data.get(
'application_urls', False
) and page_data['application_urls'] in app_configs:
self.fields['application_configs'].choices = [
(config.pk, force_text(config))
for config in app_configs[
page_data['application_urls']].get_configs()
]
apphook = page_data.get('application_urls', False)
try:
config = apphook_pool.get_apphook(apphook).get_configs(
).get(namespace=self.initial['application_namespace'])
self.fields['application_configs'].initial = config.pk
except ObjectDoesNotExist:
# Provided apphook configuration doesn't exist (anymore),
# just skip it
# The user will choose another value anyway
pass
else:
# If app_config apphook is not selected, drop any value
# for application_configs to avoid the field data from
# being validated by the field itself
try:
del self.data['application_configs']
except KeyError:
pass
if 'redirect' in self.fields:
self.fields['redirect'].widget.language = self.fields[
'language'].initial