def testStripHtmlTags_whitelist(self):
# Keep whitelisted tags, but remove the rest
self.assertEqual(
'a<b>c</b>d',
utils.StripHtmlTags('a<b>c</b><br>d', tag_whitelist=['b']))
# Remove attributes even from the whitelisted tags
self.assertEqual(
'a<b>c</b>',
utils.StripHtmlTags('a<b attr="window.alert(\'ha\')">c</b>',
tag_whitelist=['b']))
def GetFeaturesFromXml(xml_content, layer=None):
"""Extracts a list of Feature objects from KML, GeoRSS, or Atom content."""
root = kmlify.ParseXml(xml_content)
for element in root.getiterator():
element.tag = element.tag.split('}')[-1] # remove XML namespaces
features = []
for item in (root.findall('.//Placemark') + root.findall('.//entry') +
root.findall('.//item')):
location = GetLocationFromXmlItem(item)
if not location:
continue
texts = {child.tag: GetText(child) for child in item.getchildren()}
# For now strip description of all the html tags to prevent XSS
# vulnerabilities except some basic text formatting tags
# TODO(user): sanitization should move closer to render time
# (revisit this once iframed version goes away) - b/17374443
description_html = (texts.get('description') or texts.get('content')
or texts.get('summary') or '')
description_escaped = utils.StripHtmlTags(
description_html, tag_whitelist=['b', 'u', 'i', 'br', 'div'])
layer_attr = layer and layer.get('attribution')
features.append(
Feature(texts.get('title') or texts.get('name'),
description_escaped,
location,
layer and layer.get('id'),
layer and layer.get('type'),
html_attrs=(layer_attr and [layer_attr] or [])))
return features
def ToPlainText(desc): """Converts a map description to plain text for use in a <meta> tag.""" desc = desc or '' # accommodate None block_tag = re.compile(r'<(p|div|br|li|td)[^>]*>', re.I) slashes = re.compile(r'(\s| )+(/(\s| )+)+') # Replace block tags with ' / ' and compress multiple occurrences of ' / '. desc = re.sub(slashes, ' / ', re.sub(block_tag, ' / ', desc)) # Strip all other HTML tags. return utils.StripHtmlTags(desc)
def testStripHtmlTags(self):
self.assertEqual('ac', utils.StripHtmlTags('a<b>c</b>'))
self.assertEqual('link', utils.StripHtmlTags('<a href="URL">link</a>'))
self.assertEqual('justsomejs',
utils.StripHtmlTags('just<script>some</script>js'))
# Keeps entity and charrefs.
self.assertEqual('foo & bar', utils.StripHtmlTags('foo & bar'))
self.assertEqual('foo { bar',
utils.StripHtmlTags('foo { bar'))
self.assertEqual('foo ø bar',
utils.StripHtmlTags('foo ø bar'))
def testStripHtmlTags_subChar(self):
# Replace tags with a specific character
self.assertEqual('a c d',
utils.StripHtmlTags('a<b>c</b><br>d', tag_sub=' '))