def test_django_tags_escaped(self):
html = "<div>{% if 1 %}evil{% endif %}</div>"
template_text = html_to_template_text(html)
imports = ''.join(tag_imports)
self.assertEqual(
template_text, imports +
"<div>{% if 1 %}evil{% endif %}</div>")
html = "<div>{{% if 1 %}}evil{{% endif %}}</div>"
template_text = html_to_template_text(html)
self.assertEqual(
template_text,
imports + ("<div>{{% if 1 %}}evil"
"{{% endif %}}</div>"))
# malicious use of intermediate sanitization
html = "<div>{amp}</div>"
template_text = html_to_template_text(html)
self.assertEqual(template_text,
imports + ("<div>{amp}</div>"))
# preserves entities
html = '<div>&< then {</div>'
template_text = html_to_template_text(html)
self.assertEqual(template_text,
imports + ("<div>&< then {</div>"))
def test_embed_whitelist_reject(self):
html = ('<span class="plugin embed"><iframe src="http://evil.com"'
'></iframe></span>')
template = Template(html_to_template_text(html))
rendered = template.render(Context())
self.failUnless(('The embedded URL is not on the list of approved '
'providers') in rendered)
def get_content(self, context):
if not self.page:
return (('<p class="plugin includepage">' + _(
'Unable to include '
'<a href="%(page_url)s" class="missing_link">%(page_name)s</a>'
) + '</p>') % {
'page_url': self.get_page_url(),
'page_name': self.name
})
# prevent endless loops
context_page = context['page']
include_stack = context.get('_include_stack', [])
include_stack.append(context_page.name)
if self.page.name in include_stack:
return (('<p class="plugin includepage">' + _(
'Unable to'
' include <a href="%(page_url)s">%(page_name)s</a>: endless include'
' loop.') + '</p>') % {
'page_url': self.get_page_url(),
'page_name': self.page.name
})
context['_include_stack'] = include_stack
context['page'] = self.page
template_text = html_to_template_text(self.page.content, context)
# restore context
context['_include_stack'].pop()
context['page'] = context_page
return template_text
def test_include_tag(self):
html = '<a class="plugin includepage" href="Front_Page">Front Page</a>'
template_text = html_to_template_text(html)
imports = ''.join(tag_imports)
self.assertEqual(template_text,
imports + ('<div>{% include_page "Front_Page" %}'
'</div>'))
def test_amp_in_link_with_class(self):
page = Page(name='Explore')
html = ('<p><a class="external something" '
'href="http://example.org/?t=1&i=2">hi</a></p>')
template = Template(html_to_template_text(html))
rendered = template.render(Context({'page': page}))
self.failUnless('http://example.org/?t=1&i=2' in rendered)
def test_embed_tag(self):
html = ('<span class="plugin embed"><strong>Hello</strong>'
'</span>')
template_text = html_to_template_text(html)
imports = ''.join(tag_imports)
self.assertEqual(template_text,
imports + ('{% embed_code %} <strong>Hello<'
'/strong> {% endembed_code %}'))
def test_embed_whitelist_accept(self):
html = ('<span class="plugin embed"><iframe '
'src="http://www.youtube.com/embed/JVRsWAjvQSg"'
'></iframe></span>')
template = Template(html_to_template_text(html))
rendered = template.render(Context())
self.failUnless(
'<iframe src="http://www.youtube.com/embed/JVRsWAjvQSg"></iframe>'
in rendered)
def render(self, context):
try:
html = unicode(self.html_var.resolve(context))
t = Template(html_to_template_text(html))
return self.render_template(t, context)
except:
if settings.TEMPLATE_DEBUG:
raise
return ''
def render(self, context):
try:
html = unicode(self.html_var.resolve(context))
t = Template(html_to_template_text(html))
return self.render_template(t, context)
except:
if settings.TEMPLATE_DEBUG:
raise
return ''
def test_link_tag(self):
html = '<div><a href="http://example.org"></a></div>'
template_text = html_to_template_text(html)
imports = ''.join(tag_imports)
self.assertEqual(template_text,
imports +
'<div>{% link "http://example.org" %}{% endlink %}</div>')
html = '<div><a href="http://example.org">hi!</a></div>'
template_text = html_to_template_text(html)
self.assertEqual(template_text,
imports +
'<div>{% link "http://example.org" %}hi!{% endlink %}</div>')
html = '<div><a href="http://example.org">hi!</a></div>'
template_text = html_to_template_text(html)
self.assertEqual(template_text,
imports +
'<div>{% link "http://example.org" %}hi!{% endlink %}</div>')
def test_endless_include(self):
""" Should detect endless loops and give an error message
"""
a = Page(name='Front Page')
a.content = '<a class="plugin includepage" href="Front_Page">dummy</a>'
a.save()
context = Context({'page': a})
template = Template(html_to_template_text(a.content, context))
html = template.render(context)
self.failUnless(('Unable to include <a href="/Front_Page">Front Page'
'</a>: endless include loop') in html)
def test_include_nonexistant(self):
""" Should give an error message when including nonexistant page
"""
a = Page(name='Front Page')
a.content = '<a class="plugin includepage" href="New page">dummy</a>'
a.save()
context = Context({'page': a})
template = Template(html_to_template_text(a.content, context))
html = template.render(context)
self.failUnless(('Unable to include <a href="/New_page"'
' class="missing_link">New page</a>') in html)
def test_include_plugin(self):
a = Page(name='Front Page')
a.content = '<a class="plugin includepage" href="Explore">dummy</a>'
a.save()
b = Page(name='Explore')
b.content = '<p>Some text</p>'
b.save()
context = Context({'page': a})
template = Template(html_to_template_text(a.content, context))
html = template.render(context)
self.assertEqual(html, '<div><p>Some text</p></div>')
def test_include_plugin(self):
a = Page(name='Front Page')
a.content = '<a class="plugin includepage" href="Explore">dummy</a>'
a.save()
b = Page(name='Explore')
b.content = '<p>Some text</p>'
b.save()
context = Context({'page': a})
template = Template(html_to_template_text(a.content, context))
html = template.render(context)
self.assertEqual(html,
'<div><p>Some text</p></div>')
def test_django_tags_escaped(self):
html = "<div>{% if 1 %}evil{% endif %}</div>"
template_text = html_to_template_text(html)
imports = ''.join(tag_imports)
self.assertEqual(
template_text,
imports +
"<div>{% if 1 %}evil{% endif %}</div>"
)
html = "<div>{{% if 1 %}}evil{{% endif %}}</div>"
template_text = html_to_template_text(html)
self.assertEqual(
template_text,
imports + (
"<div>{{% if 1 %}}evil"
"{{% endif %}}</div>")
)
# malicious use of intermediate sanitization
html = "<div>{amp}</div>"
template_text = html_to_template_text(html)
self.assertEqual(
template_text,
imports + (
"<div>{amp}</div>")
)
# preserves entities
html = '<div>&< then {</div>'
template_text = html_to_template_text(html)
self.assertEqual(
template_text,
imports + (
"<div>&< then {</div>")
)
def test_include_plugin_utf8(self):
a = Page(name='Front Page')
a.content = (u'<a class="plugin includepage" '
u'href="青平台基金會">dummy</a>')
a.save()
b = Page(name=u'青平台基金會')
b.content = u'<p>青平台基金會</p>'
b.save()
context = Context({'page': a})
template = Template(html_to_template_text(a.content, context))
html = template.render(context)
self.assertEqual(html, u'<div class="included_page_wrapper">'
u'<p>青平台基金會</p></div>')
def test_include_showtitle(self):
a = Page(name='Front Page')
a.content = ('<a class="plugin includepage includepage_showtitle"'
' href="Explore">dummy</a>')
a.save()
b = Page(name='Explore')
b.content = '<p>Some text</p>'
b.save()
context = Context({'page': a})
template = Template(html_to_template_text(a.content, context))
html = template.render(context)
self.assertEqual(html, ('<div><h2><a href="/Explore">Explore</a></h2>'
'<p>Some text</p></div>'))
def test_include_width(self):
a = Page(name='Front Page')
a.content = ('<a class="plugin includepage" style="width: 100px"'
' href="Explore">dummy</a>')
a.save()
b = Page(name='Explore')
b.content = '<p>Some text</p>'
b.save()
context = Context({'page': a})
template = Template(html_to_template_text(a.content, context))
html = template.render(context)
self.assertEqual(html,
('<div class="included_page_wrapper" style="width: 100px;">'
'<p>Some text</p></div>'))
def render(self, context):
try:
html = unicode(self.html_var.resolve(context))
render_context = context
if self.nofollow:
context['_render_nofollow'] = True
t = Template(html_to_template_text(html, context, self.render_plugins))
html = self.render_template(t, context)
if self.nofollow:
del context['_render_nofollow']
return html
except:
if settings.TEMPLATE_DEBUG:
raise
if self.nofollow and '_render_nofollow' in context:
del context['_render_nofollow']
def test_include_showtitle(self):
a = Page(name='Front Page')
a.content = ('<a class="plugin includepage includepage_showtitle"'
' href="Explore">dummy</a>')
a.save()
b = Page(name='Explore')
b.content = '<p>Some text</p>'
b.save()
context = Context({'page': a})
template = Template(html_to_template_text(a.content, context))
html = template.render(context)
self.assertEqual(html,
('<div><h2><a href="/Explore">Explore</a></h2>'
'<p>Some text</p></div>'))
def render(self, context):
try:
html = unicode(self.html_var.resolve(context))
render_context = context
if self.nofollow:
context['_render_nofollow'] = True
t = Template(
html_to_template_text(html, context, self.render_plugins))
html = self.render_template(t, context)
if self.nofollow:
del context['_render_nofollow']
return html
except:
if settings.TEMPLATE_DEBUG:
raise
if self.nofollow and '_render_nofollow' in context:
del context['_render_nofollow']
def test_double_include(self):
""" Multiple includes are ok
"""
a = Page(name='Front Page')
a.content = ('<a class="plugin includepage" href="Explore">dummy</a>'
'<a class="plugin includepage" href="Explore">dummy</a>')
a.save()
b = Page(name='Explore')
b.content = '<p>Some text</p>'
b.save()
context = Context({'page': a})
template = Template(html_to_template_text(a.content, context))
html = template.render(context)
self.assertEqual(html,
('<div class="included_page_wrapper"><p>Some text</p></div>'
'<div class="included_page_wrapper"><p>Some text</p></div>'))
def get_content(self, context):
if not self.page:
return (('<p class="plugin includepage">' + _('Unable to include '
'<a href="%(page_url)s" class="missing_link">%(page_name)s</a>') + '</p>')
% {'page_url': self.get_page_url(), 'page_name': self.name})
# prevent endless loops
context_page = context['page']
include_stack = context.get('_include_stack', [])
include_stack.append(context_page.name)
if self.page.name in include_stack:
return (('<p class="plugin includepage">' + _('Unable to'
' include <a href="%(page_url)s">%(page_name)s</a>: endless include'
' loop.') + '</p>') % {'page_url': self.get_page_url(), 'page_name': self.page.name})
context['_include_stack'] = include_stack
context['page'] = self.page
template_text = html_to_template_text(self.page.content, context)
# restore context
context['_include_stack'].pop()
context['page'] = context_page
return template_text
def get_content(self, context):
if not self.page:
page_url = reverse('pages:show', args=[name_to_url(self.name)])
return ('<p class="plugin includepage">Unable to include '
'<a href="%s" class="missing_link">%s</a></p>'
% (page_url, self.name))
# prevent endless loops
context_page = context['page']
include_stack = context.get('_include_stack', [])
include_stack.append(context_page.name)
if self.page.name in include_stack:
return ('<p class="plugin includepage">Unable to'
' include <a href="%s">%s</a>: endless include'
' loop.</p>' % (name_to_url(self.name), self.name))
context['_include_stack'] = include_stack
context['page'] = self.page
template_text = html_to_template_text(self.page.content, context)
# restore context
context['_include_stack'].pop()
context['page'] = context_page
return template_text
def render(self, context):
self.process_context(context)
try:
html = unicode(self.html_var.resolve(context))
wiki = mwparserfromhell.parse(html)
for ft in wiki.filter_templates():
wiki.replace(ft, self.render_wiki_template(ft.name, ft.params))
html = unicode(wiki)
if self.nofollow:
context['_render_nofollow'] = True
t = Template(html_to_template_text(html, context, self.render_plugins))
html = self.render_template(t, context)
if self.nofollow:
del context['_render_nofollow']
if html.find('%% twitter %%') >= 0:
html = html.replace('%% twitter %%', u'<a class="twitter-timeline" href="https://twitter.com/lowiki_tw">即時訊息</a>')
html = html + ' <script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>'
return html
except:
if settings.TEMPLATE_DEBUG:
raise
if self.nofollow and '_render_nofollow' in context:
del context['_render_nofollow']
def render(self, context):
try:
try:
page = Page.objects.get(slug__exact=slugify(self.page_name))
header = ''
if 'showtitle' in self.args:
header = ('<h2><a href="%s">%s</a></h2>'
% (page.pretty_slug, page.name))
content = header + page.content
# prevent endless loops
context_page = context['page']
include_stack = context.get('_include_stack', [])
include_stack.append(context_page.name)
if page.name in include_stack:
content = ('<p class="plugin includepage">Unable to'
' include <a href="%s">%s</a>: endless include'
' loop.</p>' % (self.page_name, self.page_name))
context['_include_stack'] = include_stack
context['page'] = page
template_text = html_to_template_text(content, context)
# restore context
context['_include_stack'].pop()
context['page'] = context_page
except Page.DoesNotExist:
page_url = reverse('pages:show',
args=[name_to_url(self.page_name)])
template_text = ('<p class="plugin includepage">Unable to'
' include <a href="%s" class="missing_link">%s</a></p>'
% (page_url, self.page_name))
template = Template(template_text)
return self.render_template(template, context)
except:
if settings.TEMPLATE_DEBUG:
raise
return ''
def get_content(self, context):
if not self.page:
return (
'<p class="plugin includepage">'
+ _("Unable to include " '<a href="%(page_url)s" class="missing_link">%(page_name)s</a>')
+ "</p>"
) % {"page_url": self.get_page_url(), "page_name": self.name}
# prevent endless loops
context_page = context["page"]
include_stack = context.get("_include_stack", [])
include_stack.append(context_page.name)
if self.page.name in include_stack:
return (
'<p class="plugin includepage">'
+ _("Unable to" ' include <a href="%(page_url)s">%(page_name)s</a>: endless include' " loop.")
+ "</p>"
) % {"page_url": self.get_page_url(), "page_name": self.page.name}
context["_include_stack"] = include_stack
context["page"] = self.page
template_text = html_to_template_text(self.page.content, context)
# restore context
context["_include_stack"].pop()
context["page"] = context_page
return template_text
def is_exploitable(self, exploit):
p = Page(name='XSS Test', content=exploit)
p.clean_fields()
t = Template(html_to_template_text(p.content))
html = t.render(Context())
return self.contains_script(html)
def test_nbsp_outside_of_element(self):
html = u'a\xa0<strong>\xa0</strong>\n'
imports = ''.join(tag_imports)
template_text = html_to_template_text(html)
self.assertEqual(template_text, imports +
u'a\xa0<strong>\xa0</strong>\n')
def test_empty_a_element(self):
html = '<p><a name="blah"></a></p>'
imports = ''.join(tag_imports)
template_text = html_to_template_text(html)
self.assertEqual(template_text, imports + '<p><a name="blah"></a></p>')
def test_empty_a_element(self):
html = '<p><a name="blah"></a></p>'
imports = ''.join(tag_imports)
template_text = html_to_template_text(html)
self.assertEqual(template_text, imports + '<p><a name="blah"></a></p>')
def test_nbsp_outside_of_element(self):
html = u'a\xa0<strong>\xa0</strong>\n'
imports = ''.join(tag_imports)
template_text = html_to_template_text(html)
self.assertEqual(template_text, imports +
'a\xc2\xa0<strong>\xc2\xa0</strong>\n')
def test_plaintext(self):
html = "No XHTML"
imports = ''.join(tag_imports)
self.assertEqual(html_to_template_text(html), imports + "No XHTML")
