def test_dump_html_escaped_json_escapes_unsafe_html(self): """ Test dump_html_escaped_json properly escapes &, <, and >. """ malicious_dict = {"</script><script>alert('hello, ');</script>": "</script><script>alert('&world!');</script>"} expected_escaped_json = ( "{"</script><script>alert('hello, ');</script>": " ""</script><script>alert('&world!');</script>"}" ) escaped_json = dump_html_escaped_json(malicious_dict) self.assertEquals(expected_escaped_json, escaped_json)
def test_dump_html_escaped_json_escapes_unsafe_html(self): """ Test dump_html_escaped_json properly escapes &, <, and >. """ malicious_dict = { "</script><script>alert('hello, ');</script>": "</script><script>alert('&world!');</script>" } expected_escaped_json = ( "{"</script><script>alert('hello, ');</script>": " ""</script><script>alert('&world!');</script>"}" ) escaped_json = dump_html_escaped_json(malicious_dict) self.assertEquals(expected_escaped_json, escaped_json)
def test_dump_html_escaped_json_with_custom_encoder_escapes_unsafe_html(self): """ Test dump_html_escaped_json first encodes with custom JSNOEncoder before escaping &, <, and > The test encoder class should first perform the replacement of "<script>" with "sample-encoder-was-here", and then should escape the remaining &, <, and >. """ malicious_dict = { "</script><script>alert('hello, ');</script>": self.NoDefaultEncoding("</script><script>alert('&world!');</script>") } expected_custom_escaped_json = ( "{"</script><script>alert('hello, ');</script>": " ""</script>sample-encoder-was-herealert('&world!');</script>"}" ) escaped_json = dump_html_escaped_json(malicious_dict, cls=self.SampleJSONEncoder) self.assertEquals(expected_custom_escaped_json, escaped_json)
def test_dump_html_escaped_json_with_custom_encoder_escapes_unsafe_html( self): """ Test dump_html_escaped_json first encodes with custom JSNOEncoder before escaping &, <, and > The test encoder class should first perform the replacement of "<script>" with "sample-encoder-was-here", and then should escape the remaining &, <, and >. """ malicious_dict = { "</script><script>alert('hello, ');</script>": self.NoDefaultEncoding( "</script><script>alert('&world!');</script>") } expected_custom_escaped_json = ( "{"</script><script>alert('hello, ');</script>": " ""</script>sample-encoder-was-herealert('&world!');</script>"}" ) escaped_json = dump_html_escaped_json(malicious_dict, cls=self.SampleJSONEncoder) self.assertEquals(expected_custom_escaped_json, escaped_json)