def test_markdown_inside_p(): raw = '<p>*test*</p>' html = sanitizeInput(raw).strip() assert html == '<p>*test*</p>' raw = '<p>\n\n*test*\n\n</p>' html = sanitizeInput(raw) assert 'em' in html
def test_markdown_inside_div(): raw = "<div>Howmst *this* work</div>" html = sanitizeInput(raw).strip() # one line block is not converted assert html == "<div>Howmst *this* work</div>" # must wrap markdown with 2 newlines for convert raw = "<div>\n\nHowmst *this* work\n\n</div>" html = sanitizeInput(raw).strip() assert 'em' in html
def test_simple_mixed_input(): raw = '''# Chapter One Lorem *ipsum*. P<span>2</span>''' html = sanitizeInput(raw).strip() assert html == '''<h1>Chapter One</h1>\n<p>Lorem <em>ipsum</em>.</p>\n<p>P<span>2</span></p>'''
def test_markdown_inside_span(): raw = "<span>I *want* this to work</span>" html = sanitizeInput(raw).strip() assert html == "<p><span>I <em>want</em> this to work</span></p>"
def test_mixed_within_markdown(): raw = "*Emphasis <b>bold</b>*" html = sanitizeInput(raw).strip() assert html == '''<p><em>Emphasis <b>bold</b></em></p>'''
def test_image_xss(): raw = '''<IMG SRC="javascript:alert('XSS');">''' html = sanitizeInput(raw) assert 'javascript' not in html
def save(self, *args, **kwargs): self.slug = slugify(self.chaptertitle) self.chaptertext_html = sanitizeInput(self.chaptertext) self.chaptersummary_html = sanitizeInput(self.chaptersummary) super(Chapter, self).save(*args, **kwargs)
def test_strip_style(): raw = "<span style='color: black;'>test</span>" html = sanitizeInput(raw) assert 'color' not in html
def test_input_type_image(): raw = '''<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">''' html = sanitizeInput(raw) assert '<input' not in html.lower()
def test_embedded_tab(): raw = '''<IMG SRC="jav ascript:alert('XSS');">''' html = sanitizeInput(raw) assert 'src' not in html.lower()
def test_basic_xss(): raw = "<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>" html = sanitizeInput(raw) assert '<script' not in html.lower()
def test_malformed_img_tag(): raw = '''<IMG """><SCRIPT>alert("XSS")</SCRIPT>">''' html = sanitizeInput(raw) assert '<script' not in html.lower()
def test_a_tag_malformed(): raw = '''<a onmouseover="alert(document.cookie)">xxs link</a>''' html = sanitizeInput(raw) assert 'onmouseover' not in html
def test_image_function_literals(): raw = '''<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>''' html = sanitizeInput(raw) assert '<IMG' in html
def test_image_no_quotes(): raw = '''<IMG SRC=javascript:alert('xss')>''' html = sanitizeInput(raw) assert '<' in html
def test_block_multiline_xss(): raw = '''hello <a name="n" href="javascript:alert('xss')">*you*</a>''' html = sanitizeInput(raw) assert 'javascript' not in html
def test_dont_strip_classes(): raw = "<span class='classy'>test</span>" html = sanitizeInput(raw).strip() # Sanitizer turns single quotes for attrs into double assert html == '<p><span class="classy">test</span></p>'
def save(self, *args, **kwargs): self.grouppage_html = sanitizeInput(self.grouppage) super().save(*args, **kwargs)
def test_dont_strip_src_attr(): raw = "<img src='whatever'></img>" html = sanitizeInput(raw) assert 'src="whatever"' in html
def preprocess_preview(self, form, context): context['preview_markup'] = sanitizeInput( form.cleaned_data['chaptertext'])
def save(self, *args, **kwargs): self.content_html = sanitizeInput(self.content) super().save(*args, **kwargs)
def preprocess_preview(self, form, context): content = form.cleaned_data['firstmessage'] context['preview_markup'] = sanitizeInput(content) context['preview_title'] = form.cleaned_data['title']