def attach_defs():
if stream.current.type in 'table_def_begin':
stream.next()
args, kwargs = self.parse_arguments(stream, 'table_def_end')
if stream.current.type == 'table_def_end':
stream.next()
attrs, args = _parse_align_args(args, kwargs)
if cell_type == 'tablefirst':
table.class_ = attrs.get('tableclass') or None
table.style = filter_style(attrs.get('tablestyle')) or None
if cell_type in ('tablefirst', 'rowfirst'):
row.class_ = attrs.get('rowclass') or None
if not row.class_:
row.class_ = u' '.join(args) or None
row.style = filter_style(attrs.get('rowstyle')) or None
cell.class_ = attrs.get('cellclass') or None
cell.style = filter_style(attrs.get('cellstyle')) or None
cell.colspan = attrs.get('colspan', 0)
cell.rowspan = attrs.get('rowspan', 0)
cell.align = attrs.get('align')
if cell.align not in ('left', 'right', 'center'):
cell.align = None
cell.valign = attrs.get('valign')
if cell.valign not in ('top', 'middle', 'bottom'):
cell.valign = None
if cell_type == 'normal':
if not cell.class_:
cell.class_ = u' '.join(args) or None
def attach_defs():
if stream.current.type in 'table_def_begin':
stream.next()
args, kwargs = self.parse_arguments(stream, 'table_def_end')
if stream.current.type == 'table_def_end':
stream.next()
attrs, args = _parse_align_args(args, kwargs)
if cell_type == 'tablefirst':
table.class_ = attrs.get('tableclass') or None
table.style = filter_style(attrs.get('tablestyle')) or None
if cell_type in ('tablefirst', 'rowfirst'):
row.class_ = attrs.get('rowclass') or None
if not row.class_:
row.class_ = u' '.join(args) or None
row.style = filter_style(attrs.get('rowstyle')) or None
cell.class_ = attrs.get('cellclass') or None
cell.style = filter_style(attrs.get('cellstyle')) or None
cell.colspan = attrs.get('colspan', 0)
cell.rowspan = attrs.get('rowspan', 0)
cell.align = attrs.get('align')
if cell.align not in ('left', 'right', 'center'):
cell.align = None
cell.valign = attrs.get('valign')
if cell.valign not in ('top', 'middle', 'bottom'):
cell.valign = None
if cell_type == 'normal':
if not cell.class_:
cell.class_ = u' '.join(args) or None
def test_unwanted_css_properties(self):
"""Test for some xss wholes."""
self.assertEqual(filter_style(u'background-image: url(javascript: alert("foo"));'), u'')
self.assertEqual(filter_style(u'-moz-binding: url("http://foobar.xy");'), u'')
# this makes the ie corrupt and confusing…
self.assertEqual(filter_style(u'width: expression((documentElement.clientWidth < 725) ? "725px" : "auto" )'), u'')
# and this is also known to be a security risk in internet explorer
self.assertEqual(filter_style(u'behavior: url("pngbehavior.htc");'), u'')
def test_wanted_css_properties(self):
self.assertEqual(filter_style(u'cursor: pointer; color: black;'),
u'cursor: pointer; color: black')
self.assertEqual(filter_style(u'background-color: black;'),
u'background-color: black')
self.assertEqual(filter_style(u'margin-bottom: 2px;'),
u'margin-bottom: 2px')
self.assertEqual(filter_style(u'padding-top: 5px;'),
u'padding-top: 5px')
def test_unwanted_css_properties(self):
"""Test for some xss wholes."""
self.assertEqual(
filter_style(u'background-image: url(javascript: alert("foo"));'),
u'')
self.assertEqual(
filter_style(u'-moz-binding: url("http://foobar.xy");'), u'')
# this makes the ie corrupt and confusing…
self.assertEqual(
filter_style(
u'width: expression((documentElement.clientWidth < 725) ? "725px" : "auto" )'
), u'')
# and this is also known to be a security risk in internet explorer
self.assertEqual(filter_style(u'behavior: url("pngbehavior.htc");'),
u'')
def parse_box(self, stream):
"""
Parse a box. Pretty much like a table with one cell that renders to
a div or a div with a title and body.
Returns a `Box` node.
"""
box = nodes.Box()
stream.expect('box_begin')
if stream.current.type == 'box_def_begin':
stream.next()
args, kwargs = self.parse_arguments(stream, 'box_def_end')
if stream.current.type == 'box_def_end':
stream.next()
attrs, args = _parse_align_args(args, kwargs)
box.align = attrs.get('align')
if box.align not in ('left', 'right', 'center'):
box.align = None
box.align = attrs.get('valign')
if box.valign not in ('top', 'middle', 'bottom'):
box.valign = None
box.class_ = attrs.get('klasse')
if not box.class_:
box.class_ = u' '.join(args)
box.style = filter_style(attrs.get('style')) or None
box.title = attrs.get('title')
box.class_ = attrs.get('class')
while stream.current.type != 'box_end':
box.children.append(self.parse_node(stream))
stream.expect('box_end')
return box
def parse_box(self, stream):
"""
Parse a box. Pretty much like a table with one cell that renders to
a div or a div with a title and body.
Returns a `Box` node.
"""
box = nodes.Box()
stream.expect('box_begin')
if stream.current.type == 'box_def_begin':
stream.next()
args, kwargs = self.parse_arguments(stream, 'box_def_end')
if stream.current.type == 'box_def_end':
stream.next()
attrs, args = _parse_align_args(args, kwargs)
box.align = attrs.get('align')
if box.align not in ('left', 'right', 'center'):
box.align = None
box.align = attrs.get('valign')
if box.valign not in ('top', 'middle', 'bottom'):
box.valign = None
box.class_ = attrs.get('klasse')
if not box.class_:
box.class_ = u' '.join(args)
box.style = filter_style(attrs.get('style')) or None
box.title = attrs.get('title')
box.class_ = attrs.get('class')
while stream.current.type != 'box_end':
box.children.append(self.parse_node(stream))
stream.expect('box_end')
return box
def test_css_none(self):
self.assertEqual(filter_style(None), None)
def test_invalid_css_keyword(self):
self.assertEqual(filter_style(u'padding-top: 5kg;'), u'')
def test_css_none(self):
self.assertEqual(filter_style(None), None)
def test_invalid_css_keyword(self):
self.assertEqual(filter_style(u'padding-top: 5kg;'), u'')
def test_wanted_css_properties(self):
self.assertEqual(filter_style(u'cursor: pointer; color: black;'), u'cursor: pointer; color: black')
self.assertEqual(filter_style(u'background-color: black;'), u'background-color: black')
self.assertEqual(filter_style(u'margin-bottom: 2px;'), u'margin-bottom: 2px')
self.assertEqual(filter_style(u'padding-top: 5px;'), u'padding-top: 5px')