def pipeHandler(self, outputf, po4, xml_output):
while True:
each_line = po4.fromchild.readline()
if not each_line:
break;
line = escape.escape(each_line)
if xml_output:
line = self.__fileHandlerXMLencoding(line)
outputf.write(line)
def __fileHandler(self, outputf, inputf, xml_output):
"""
Output the content of the file identifier.
"""
for token in inputf:
line = escape.escape(token)
if xml_output:
line = self.__fileHandlerXMLencoding(line)
outputf.write(line)
def title():
escape_mode = request.args.get("escape", "")
try:
title = fetch_url_title(request.args["url"])
title = escape(title, escape_mode)
return jsonify({"error": False, "title": title})
except Exception as e:
return jsonify({
"error": True,
"error_message": str(e),
"error_cause": e.__class__.__name__
})
def __defaultTextHandler(self, outputf, name, value):
if isinstance(value, types.dictType):
attrs. value.keys()
attrs.sort()
for x in attrs:
self.__XMLvalue(outputf, x , value[x])
elif isinstance(value, types.ListType):
for(listname, listval) in value:
self.__XMLvalue(outputf,listname,listval)
elif isinstance(value, types.FileType):
self.__FileHandler(outputf, value, xml_output = False)
elif isinstance(value, popen2.Popen4):
self.__PipeHandler(outputf, value, xml_output = False)
else :
outputf.write("%s: %s\n" % (name, escape.escape(str(val))))
def __XMLvalue(self, outputf, name, value):
if isinstance(value, types.fileType):
self.__XMLopenTag(outputf, name)
self.__FileHandler(outputf, value, xml_output = True)
self.__XMLclosetag(outputf, name)
elif isinstance(value, popen2.Popen4):
self.__XMLopenTag(outputf, name)
self.__PipeHandler(outputf, value, xml_output = True)
self.__XMLclosetag(outputf, name)
elif isinstance(value, types.ListType):
self.__XMLopenTag(outputf, name)
for (listname, listval) in val:
self.__XMLopenTag(outputf, listname, listval)
self.__XMLclosetag(outputf, name)
elif isinstance(value, types.DictType):
self.__XMLopenTag(outputf, name)
for ids in value:
self.__XMLvalue(outputf, ids, value[ids])
self.__XMLclosetag(outputf, name)
else:
prefix = ' ' * self.__indentation
outputf.write("%s<%s>%s</%s>\n" % (prefix, name
escape.xml_encode(escape.escape(str(val)))), name))
def bfs(belt, choice_tree):
"""
Using Breadth-First Search,
Iteratively explore solutions with Queue until shortest solution is found.
Prune choice subtrees that result in a crash.
"""
visited, queue = set(), Queue()
queue.eq(choice_tree)
try:
while queue:
choice = queue.dq()
if choice.data not in visited:
visited.add(choice.data)
choice.build_children() # Lazily build children
result = escape(choice.data, belt)
if result == True:
return choice.data
elif result == False:
choice.prune()
for child in choice.children:
queue.eq(child)
except AssertionError, error:
print 'Choice tree was not able to find a solution.'
def flatten_tagattribute(attribute):
value = flatten(attribute.value)
return '%s="%s"' % (attribute.name, escape(value, quote=True))
def flatten_child(child):
if type(child) == str:
# escape htmlchars only in strings
return escape(child, quote=False)
else:
return flatten(child)
def test_typed_content(self):
"""Test rendering and normalization of typed content by escapers."""
data = (
'<b> "foo%" O\'Reilly &bar;',
content.SafeCSS('a[href =~ "//example.com"]#foo'),
content.SafeHTML('Hello, <b>World</b> &tc!'),
content.SafeHTMLAttr(' dir="ltr"'),
content.SafeJS('c && alert("Hello, World!");'),
content.SafeJSStr('Hello, World & O\'Reilly\\x21'),
content.SafeURL('greeting=H%69&addressee=(World)'),
)
# For each content sensitive escaper, see how it does on
# each of the typed strings above.
tests = (
(
'<style>{{.}} { color: blue }</style>',
(
'zSafehtmlz',
# Allowed but not escaped.
'a[href =~ "//example.com"]#foo',
'zSafehtmlz',
'zSafehtmlz',
'zSafehtmlz',
'zSafehtmlz',
'zSafehtmlz',
),
),
(
'<div style="{{.}}">',
(
'zSafehtmlz',
# Allowed and HTML escaped.
'a[href =~ "//example.com"]#foo',
'zSafehtmlz',
'zSafehtmlz',
'zSafehtmlz',
'zSafehtmlz',
'zSafehtmlz',
),
),
(
'{{.}}',
(
'<b> "foo%" O'Reilly &bar;',
'a[href =~ "//example.com"]#foo',
# Not escaped.
'Hello, <b>World</b> &tc!',
' dir="ltr"',
'c && alert("Hello, World!");',
r'Hello, World & O'Reilly\x21',
'greeting=H%69&addressee=(World)',
),
),
(
'<a{{.}}>',
(
'zSafehtmlz',
'zSafehtmlz',
'zSafehtmlz',
# Allowed and HTML escaped.
' dir="ltr"',
'zSafehtmlz',
'zSafehtmlz',
'zSafehtmlz',
),
),
(
'<a title={{.}}>',
(
'"<b> "foo%" O'Reilly &bar;"',
'"a[href =~ "//example.com"]#foo"',
# Tags stripped, spaces escaped, entity not re-escaped.
'"Hello, World &tc!"',
'" dir="ltr""',
'"c && alert("Hello, World!");"',
r'"Hello, World & O'Reilly\x21"',
'"greeting=H%69&addressee=(World)"',
),
),
(
"<a title='{{.}}'>",
(
'<b> "foo%" O'Reilly &bar;',
'a[href =~ "//example.com"]#foo',
# Tags stripped, entity not re-escaped.
'Hello, World &tc!',
' dir="ltr"',
'c && alert("Hello, World!");',
r'Hello, World & O'Reilly\x21',
'greeting=H%69&addressee=(World)',
),
),
(
'<textarea>{{.}}</textarea>',
(
'<b> "foo%" O'Reilly &bar;',
'a[href =~ "//example.com"]#foo',
# Angle brackets escaped to prevent injection of close
# tags, entity not re-escaped.
'Hello, <b>World</b> &tc!',
' dir="ltr"',
'c && alert("Hello, World!");',
r'Hello, World & O'Reilly\x21',
'greeting=H%69&addressee=(World)',
),
),
(
'<script>alert({{.}})</script>',
(
'"\\x3cb\\x3e \\"foo%\\" O\'Reilly &bar;"',
r'"a[href =~ \"//example.com\"]#foo"',
r'"Hello, \x3cb\x3eWorld\x3c/b\x3e &tc!"',
r'" dir=\"ltr\""',
# Not escaped.
'c && alert("Hello, World!");',
# Escape sequence not over-escaped.
'"Hello, World \\x26 O\\x27Reilly\\x21"',
'"greeting=H%69&addressee=(World)"',
),
),
(
'<button onclick="alert({{.}})">',
(
(r'"\x3cb\x3e \"foo%\"'
r' O'Reilly &bar;"'),
r'"a[href =~ \"//example.com\"]#foo"',
r'"Hello, \x3cb\x3eWorld\x3c/b\x3e &amp;tc!"',
r'" dir=\"ltr\""',
# Not JS escaped but HTML escaped.
r'c && alert("Hello, World!");',
# Escape sequence not over-escaped.
r'"Hello, World \x26 O\x27Reilly\x21"',
r'"greeting=H%69&addressee=(World)"',
),
),
(
'<script>alert("{{.}}")</script>',
(
r'\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;',
r'a[href \x3d~ \x22\/\/example.com\x22]#foo',
r'Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!',
r' dir\x3d\x22ltr\x22',
r'c \x26\x26 alert(\x22Hello, World!\x22);',
# Escape sequence not over-escaped.
r'Hello, World \x26 O\x27Reilly\x21',
r'greeting\x3dH%69\x26addressee\x3d(World)',
),
),
(
'<button onclick=\'alert("{{.}}")\'>',
(
r'\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;',
r'a[href \x3d~ \x22\/\/example.com\x22]#foo',
r'Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!',
r' dir\x3d\x22ltr\x22',
r'c \x26\x26 alert(\x22Hello, World!\x22);',
# Escape sequence not over-escaped.
r'Hello, World \x26 O\x27Reilly\x21',
r'greeting\x3dH%69\x26addressee\x3d(World)',
),
),
(
'<a href="?q={{.}}">',
(
'%3cb%3e%20%22foo%25%22%20O%27Reilly%20%26bar%3b',
'a%5bhref%20%3d~%20%22%2f%2fexample.com%22%5d%23foo',
'Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21',
'%20dir%3d%22ltr%22',
'c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b',
'Hello%2c%20World%20%26%20O%27Reilly%5cx21',
# Quotes and parens are escaped but %69 is not over-escaped.
# HTML escaping is done.
'greeting=H%69&addressee=%28World%29',
),
),
(
"<style>body { background: url('?img={{.}}') }</style>",
(
'%3cb%3e%20%22foo%25%22%20O%27Reilly%20%26bar%3b',
'a%5bhref%20%3d~%20%22%2f%2fexample.com%22%5d%23foo',
'Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21',
'%20dir%3d%22ltr%22',
'c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b',
'Hello%2c%20World%20%26%20O%27Reilly%5cx21',
# Quotes and parens are escaped but %69 is not over-escaped.
# HTML escaping is not done.
'greeting=H%69&addressee=%28World%29',
),
),
)
for tmpl_code, want_arr in tests:
env = template.parse_templates('test', tmpl_code, 'main')
escape.escape(env.templates, ('main',))
pre = tmpl_code.find('{{.}}')
post = len(tmpl_code) - (pre + 5)
for i in xrange(0, len(data)):
datum, want = data[i], want_arr[i]
rendered = env.with_data(datum).sexecute('main')
# got is just the portion of the template that does
# not correspond to a literal text node in the input template.
got = rendered[pre:len(rendered)-post]
self.assertEquals(
want, got,
'%s with %r\n\t%r\n!=\n\t%r' % (
tmpl_code, datum, want, got))
def test_escape_simple_case():
assert \
escape("Nothing to escape") == "Nothing to escape", \
"Should be 'Nothing to escape'"
def test_escape_backslashes():
assert \
escape(r"Several \backslashes\ to escape") == r"Several \\backslashes\\ to escape", \
r"Should be 'Several \\backslashes\\ to escape'"
def test_escape_backslash():
assert \
escape(r"Just a \ to escape") == r"Just a \\ to escape", \
r"Should be 'Just a \\ to escape'"
def test_escape_single_quotes():
assert \
escape("Several ' to 'escape'") == r"Several \' to \'escape\'", \
r"Should be 'Several \' to \'escape\'"
def flatten_tagattribute(attribute):
value = flatten(attribute.value)
return '%s="%s"' % (attribute.name, escape(value, quote=True))
def flatten_child(child):
if type(child) == str:
# escape htmlchars only in strings
return escape(child, quote=False)
else:
return flatten(child)
def test_escape_single_quote():
assert \
escape("Just a ' to escape") == r"Just a \' to escape", \
r"Should be 'Just a \' to escape'"
def _tmpls_from_stdin():
"""Read template from stdin and dump the output to stdout."""
code = sys.stdin.read().decode('UTF-8')
env = template.parse_templates('-', code, 'main')
escape.escape(env.templates, ('main',))
print env.sexecute('main')
