def create_token(self, token_string, in_tag):
"""
Convert the given token string into a new Token object and return it.
If in_tag is True, we are processing something that matched a tag,
otherwise it should be treated as a literal string.
"""
if in_tag and token_string.startswith(BLOCK_TAG_START):
# The [2:-2] ranges below strip off *_TAG_START and *_TAG_END.
# We could do len(BLOCK_TAG_START) to be more "correct", but we've
# hard-coded the 2s here for performance. And it's not like
# the TAG_START values are going to change anytime, anyway.
block_content = token_string[2:-2].strip()
if self.verbatim and block_content == self.verbatim:
self.verbatim = False
if in_tag and not self.verbatim:
if token_string.startswith(VARIABLE_TAG_START):
token = Token(TOKEN_VAR, token_string[2:-2].strip())
elif token_string.startswith(BLOCK_TAG_START):
if block_content[:9] in ('verbatim', 'verbatim '):
self.verbatim = 'end%s' % block_content
token = Token(TOKEN_BLOCK, block_content)
elif token_string.startswith(COMMENT_TAG_START):
content = ''
if token_string.find(TRANSLATOR_COMMENT_MARK):
content = token_string[2:-2].strip()
token = Token(TOKEN_COMMENT, content)
else:
token = Token(TOKEN_TEXT, token_string)
token.lineno = self.lineno
self.lineno += token_string.count('\n')
return token
def dehydrate(self, bundle):
var_array = []
if bundle.obj.urlaspattern:
token = Token("Text", bundle.obj.url)
var_array = token.split_contents()
bundle.data['var_array'] = var_array[1:]
return bundle
def locale_url(parser, token):
"""
Renders the url for the view with another locale prefix. The syntax is
like the 'url' tag, only with a locale before the view.
Examples:
{% locale_url "de" cal.views.day day %}
{% locale_url "nl" cal.views.home %}
{% locale_url "en-gb" cal.views.month month as month_url %}
"""
bits = token.split_contents()
if len(bits) < 3:
raise TemplateSyntaxError("'%s' takes at least two arguments:"
" the locale and a view" % bits[0])
urltoken = Token(token.token_type, bits[0] + ' ' + ' '.join(bits[2:]))
urlnode = defaulttags.url(parser, urltoken)
return LocaleURLNode(bits[1], urlnode)
def test_gravatar_xss(self):
"""Testing {% gravatar %} doesn't allow XSS injection"""
user = User(username='******',
first_name='"><script>alert(1);</script><"',
email='*****@*****.**')
node = gravatar(self.parser, Token(TOKEN_TEXT, 'gravatar user 32'))
context = {
'request': DummyRequest(),
'user': user,
}
self.assertEqual(
node.render(context),
'<img src="http://www.gravatar.com/avatar/'
'55502f40dc8b7c769880b10874abc9d0?s=32" width="32" height="32" '
'alt=""><script>alert(1);</script><"" '
'class="gravatar"/>')
def second_pass_render(request, content):
"""
Split on the secret delimiter and generate the token list by passing
through text outside of phased blocks as single text tokens and tokenizing
text inside the phased blocks. This ensures that nothing outside of the
phased blocks is tokenized, thus eliminating the possibility of a template
code injection vulnerability.
"""
result = tokens = []
for index, bit in enumerate(content.split(settings.PHASED_SECRET_DELIMITER)):
if index % 2:
tokens = Lexer(bit, None).tokenize()
else:
tokens.append(Token(TOKEN_TEXT, bit))
context = RequestContext(request,
restore_csrf_token(request, unpickle_context(bit)))
rendered = Parser(tokens).parse().render(context)
if settings.PHASED_SECRET_DELIMITER in rendered:
rendered = second_pass_render(request, rendered)
result.append(rendered)
return "".join(result)
def create_token(content):
return Token(TOKEN_BLOCK, content)
def forme():
return FormeParser([], Token(TOKEN_BLOCK, 'tag'))
def testError(self):
"""Testing errorbox tag (invalid usage)"""
self.assertRaises(
TemplateSyntaxError, lambda: djblets_deco.errorbox(
self.parser, Token(TOKEN_TEXT, 'errorbox "id" "foo"')))
def test_with_max_indents(self):
"""Testing condense tag with custom max_indents"""
node = djblets_email.condense(self.parser,
Token(TOKEN_TEXT, 'condense 1'))
self.assertEqual(node.render({}), "foo\nbar\nfoobar!")
def test_plain(self):
"""Testing condense tag"""
node = djblets_email.condense(self.parser,
Token(TOKEN_TEXT, 'condense'))
self.assertEqual(node.render({}), "foo\nbar\n\n\nfoobar!")
def testInvalid(self):
"""Testing quoted_email tag (invalid usage)"""
self.assertRaises(
TemplateSyntaxError, lambda: djblets_email.quoted_email(
self.parser, Token(TOKEN_TEXT, 'quoted_email')))