def test_edit_taintedstring(self):
from AccessControl.tainted import TaintedString
doc = self._makeOne()
self.assertEqual(doc.read(), '')
data = TaintedString('hello<br/>')
doc.manage_edit(data, 'title')
self.assertEqual(doc.read(), 'hello<br/>')
def test_newline_to_br_tainted(self):
from DocumentTemplate import DT_Var
text = '''\
<li>line one</li>
<li>line two</li>
'''
from AccessControl.tainted import TaintedString
tainted = TaintedString(text)
self.assertEqual(
DT_Var.newline_to_br(tainted), '''\
<br />
<li>line one</li><br />
<li>line two</li><br />
''')
def __call__(self, *args, **kw):
tainted = 0
args = list(args)
for i in range(len(args)):
if isinstance(args[i], TaintedString):
tainted = 1
args[i] = str(args[i])
for k, v in kw.items():
if isinstance(v, TaintedString):
tainted = 1
kw[k] = str(v)
args = tuple(args)
retval = self._method(*args, **kw)
if tainted and isinstance(retval, str) and '<' in retval:
retval = TaintedString(retval)
return retval
def test_raise_StandardErrorMessage_TaintedString_errorValue(self):
from AccessControl.tainted import TaintedString
class REQUEST(object):
class RESPONSE(object):
handle_errors = True
item = self._makeOne()
def _raise_during_standard_error_message(*args, **kw):
raise ZeroDivisionError('testing')
item.standard_error_message = _raise_during_standard_error_message
try:
item.raise_standardErrorMessage(
error_type=OverflowError,
error_value=TaintedString('<simple>'),
REQUEST=REQUEST(),
)
except:
import sys
self.assertEqual(sys.exc_info()[0], OverflowError)
value = sys.exc_info()[1]
self.assertFalse('<' in value.message)
def test_find_text_tainted(self):
# Make sure ZopeFind can handle "Tainted" text for searches
# Tainted strings are created when the publisher sees what appears
# to be HTML code in the input, e.g. when you enter a HTML tag into
# the Find tab form in "containing"
from AccessControl.tainted import TaintedBytes
from AccessControl.tainted import TaintedString
findme = 'findme'
self.base['doc1'] = DummyItem('doc1', text=findme)
self.base['doc2'] = DummyItem('doc2', text=findme)
tainted_string = TaintedString(findme)
res = self.base.ZopeFind(self.base, obj_searchterm=tainted_string)
self.assertEqual(len(res), 2)
self.assertEqual(set([x[0] for x in res]), set(['doc1', 'doc2']))
tainted_bytes = TaintedBytes(six.b(findme))
res = self.base.ZopeFind(self.base, obj_searchterm=tainted_bytes)
self.assertEqual(len(res), 2)
self.assertEqual(set([x[0] for x in res]), set(['doc1', 'doc2']))
def render(self, md):
args = self.args
name = self.__name__
val = self.expr
if val is None:
if name in md:
if 'url' in args:
val = md.getitem(name, 0)
val = val.absolute_url()
else:
val = md[name]
else:
if 'missing' in args:
return args['missing']
else:
raise KeyError(name)
else:
val = val.eval(md)
if 'url' in args:
val = val.absolute_url()
__traceback_info__ = name, val, args
if 'null' in args and not val and val != 0:
# check for null (false but not zero, including None, [], '')
return args['null']
# handle special formats defined using fmt= first
if 'fmt' in args:
_get = getattr(md, 'guarded_getattr', None)
if _get is None:
_get = getattr
fmt = args['fmt']
if 'null' in args and not val and val != 0:
try:
if hasattr(val, fmt):
val = _get(val, fmt)()
elif fmt in special_formats:
if fmt == 'html-quote' and \
isinstance(val, TaintedString):
# TaintedStrings will be quoted by default, don't
# double quote.
pass
else:
val = special_formats[fmt](val, name, md)
elif fmt == '':
val = ''
else:
if isinstance(val, TaintedString):
val = TaintedString(fmt % val)
else:
val = fmt % val
except:
t, v = sys.exc_type, sys.exc_value
if hasattr(sys, 'exc_info'):
t, v = sys.exc_info()[:2]
if val is None or not str(val):
return args['null']
raise t(v)
else:
# We duplicate the code here to avoid exception handler
# which tends to screw up stack or leak
if hasattr(val, fmt):
val = _get(val, fmt)()
elif fmt in special_formats:
if (fmt == 'html-quote'
and isinstance(val, TaintedString)):
# TaintedStrings will be quoted by default, don't
# double quote.
pass
else:
val = special_formats[fmt](val, name, md)
elif fmt == '':
val = ''
else:
if isinstance(val, TaintedString):
val = TaintedString(fmt % val)
else:
val = fmt % val
# finally, pump it through the actual string format...
fmt = self.fmt
if fmt == 's':
# Keep tainted strings as tainted strings here.
if not isinstance(val, TaintedString):
val = ustr(val)
else:
# Keep tainted strings as tainted strings here.
wastainted = 0
if isinstance(val, TaintedString):
wastainted = 1
val = ('%' + self.fmt) % (val, )
if wastainted and '<' in val:
val = TaintedString(val)
# next, look for upper, lower, etc
for f in self.modifiers:
if f.__name__ == 'html_quote' and isinstance(val, TaintedString):
# TaintedStrings will be quoted by default, don't double quote.
continue
val = f(val)
if 'size' in args:
size = args['size']
try:
size = int(size)
except Exception:
raise ValueError(
'a <code>size</code> attribute was used in a '
'<code>var</code> tag with a non-integer value.')
if len(val) > size:
val = val[:size]
l = val.rfind(' ')
if l > size / 2:
val = val[:l + 1]
if 'etc' in args:
l = args['etc']
else:
l = '...'
val = val + l
if isinstance(val, TaintedString):
val = val.quoted()
return val
def render(self, md):
args=self.args
have_arg=args.has_key
name=self.__name__
val=self.expr
if val is None:
if md.has_key(name):
if have_arg('url'):
val=md.getitem(name,0)
val=val.absolute_url()
else:
val = md[name]
else:
if have_arg('missing'):
return args['missing']
else:
raise KeyError, name
else:
val=val.eval(md)
if have_arg('url'): val=val.absolute_url()
__traceback_info__=name, val, args
if have_arg('null') and not val and val != 0:
# check for null (false but not zero, including None, [], '')
return args['null']
# handle special formats defined using fmt= first
if have_arg('fmt'):
_get = getattr(md, 'guarded_getattr', None)
if _get is None:
_get = getattr
fmt=args['fmt']
if have_arg('null') and not val and val != 0:
try:
if hasattr(val, fmt):
val = _get(val, fmt)()
elif special_formats.has_key(fmt):
if fmt == 'html-quote' and \
isinstance(val, TaintedString):
# TaintedStrings will be quoted by default, don't
# double quote.
pass
else:
val = special_formats[fmt](val, name, md)
elif fmt=='': val=''
else:
if isinstance(val, TaintedString):
val = TaintedString(fmt % val)
else:
val = fmt % val
except:
t, v= sys.exc_type, sys.exc_value
if hasattr(sys, 'exc_info'): t, v = sys.exc_info()[:2]
if val is None or not str(val): return args['null']
raise t, v
else:
# We duplicate the code here to avoid exception handler
# which tends to screw up stack or leak
if hasattr(val, fmt):
val = _get(val, fmt)()
elif special_formats.has_key(fmt):
if fmt == 'html-quote' and \
isinstance(val, TaintedString):
# TaintedStrings will be quoted by default, don't
# double quote.
pass
else:
val = special_formats[fmt](val, name, md)
elif fmt=='': val=''
else:
if isinstance(val, TaintedString):
val = TaintedString(fmt % val)
else:
val = fmt % val
# finally, pump it through the actual string format...
fmt=self.fmt
if fmt=='s':
# Keep tainted strings as tainted strings here.
if not isinstance(val, TaintedString):
val=ustr(val)
else:
# Keep tainted strings as tainted strings here.
wastainted = 0
if isinstance(val, TaintedString): wastainted = 1
val = ('%'+self.fmt) % (val,)
if wastainted and '<' in val:
val = TaintedString(val)
# next, look for upper, lower, etc
for f in self.modifiers:
if f.__name__ == 'html_quote' and isinstance(val, TaintedString):
# TaintedStrings will be quoted by default, don't double quote.
continue
val=f(val)
if have_arg('size'):
size=args['size']
try: size=int(size)
except: raise ValueError,(
'''a <code>size</code> attribute was used in a <code>var</code>
tag with a non-integer value.''')
if len(val) > size:
val=val[:size]
l=val.rfind(' ')
if l > size/2:
val=val[:l+1]
if have_arg('etc'): l=args['etc']
else: l='...'
val=val+l
if isinstance(val, TaintedString):
val = val.quoted()
return val
