def test_django_tags_escaped(self): html = "<div>{% if 1 %}evil{% endif %}</div>" template_text = html_to_template_text(html) imports = ''.join(tag_imports) self.assertEqual( template_text, imports + "<div>{% if 1 %}evil{% endif %}</div>") html = "<div>{{% if 1 %}}evil{{% endif %}}</div>" template_text = html_to_template_text(html) self.assertEqual( template_text, imports + ("<div>{{% if 1 %}}evil" "{{% endif %}}</div>")) # malicious use of intermediate sanitization html = "<div>{amp}</div>" template_text = html_to_template_text(html) self.assertEqual(template_text, imports + ("<div>{amp}</div>")) # preserves entities html = '<div>&< then {</div>' template_text = html_to_template_text(html) self.assertEqual(template_text, imports + ("<div>&< then {</div>"))
def test_embed_whitelist_reject(self): html = ('<span class="plugin embed"><iframe src="http://evil.com"' '></iframe></span>') template = Template(html_to_template_text(html)) rendered = template.render(Context()) self.failUnless(('The embedded URL is not on the list of approved ' 'providers') in rendered)
def get_content(self, context): if not self.page: return (('<p class="plugin includepage">' + _( 'Unable to include ' '<a href="%(page_url)s" class="missing_link">%(page_name)s</a>' ) + '</p>') % { 'page_url': self.get_page_url(), 'page_name': self.name }) # prevent endless loops context_page = context['page'] include_stack = context.get('_include_stack', []) include_stack.append(context_page.name) if self.page.name in include_stack: return (('<p class="plugin includepage">' + _( 'Unable to' ' include <a href="%(page_url)s">%(page_name)s</a>: endless include' ' loop.') + '</p>') % { 'page_url': self.get_page_url(), 'page_name': self.page.name }) context['_include_stack'] = include_stack context['page'] = self.page template_text = html_to_template_text(self.page.content, context) # restore context context['_include_stack'].pop() context['page'] = context_page return template_text
def test_include_tag(self): html = '<a class="plugin includepage" href="Front_Page">Front Page</a>' template_text = html_to_template_text(html) imports = ''.join(tag_imports) self.assertEqual(template_text, imports + ('<div>{% include_page "Front_Page" %}' '</div>'))
def test_amp_in_link_with_class(self): page = Page(name='Explore') html = ('<p><a class="external something" ' 'href="http://example.org/?t=1&i=2">hi</a></p>') template = Template(html_to_template_text(html)) rendered = template.render(Context({'page': page})) self.failUnless('http://example.org/?t=1&i=2' in rendered)
def test_embed_tag(self): html = ('<span class="plugin embed"><strong>Hello</strong>' '</span>') template_text = html_to_template_text(html) imports = ''.join(tag_imports) self.assertEqual(template_text, imports + ('{% embed_code %} <strong>Hello<' '/strong> {% endembed_code %}'))
def test_embed_whitelist_accept(self): html = ('<span class="plugin embed"><iframe ' 'src="http://www.youtube.com/embed/JVRsWAjvQSg"' '></iframe></span>') template = Template(html_to_template_text(html)) rendered = template.render(Context()) self.failUnless( '<iframe src="http://www.youtube.com/embed/JVRsWAjvQSg"></iframe>' in rendered)
def render(self, context): try: html = unicode(self.html_var.resolve(context)) t = Template(html_to_template_text(html)) return self.render_template(t, context) except: if settings.TEMPLATE_DEBUG: raise return ''
def test_link_tag(self): html = '<div><a href="http://example.org"></a></div>' template_text = html_to_template_text(html) imports = ''.join(tag_imports) self.assertEqual(template_text, imports + '<div>{% link "http://example.org" %}{% endlink %}</div>') html = '<div><a href="http://example.org">hi!</a></div>' template_text = html_to_template_text(html) self.assertEqual(template_text, imports + '<div>{% link "http://example.org" %}hi!{% endlink %}</div>') html = '<div><a href="http://example.org">hi!</a></div>' template_text = html_to_template_text(html) self.assertEqual(template_text, imports + '<div>{% link "http://example.org" %}hi!{% endlink %}</div>')
def test_endless_include(self): """ Should detect endless loops and give an error message """ a = Page(name='Front Page') a.content = '<a class="plugin includepage" href="Front_Page">dummy</a>' a.save() context = Context({'page': a}) template = Template(html_to_template_text(a.content, context)) html = template.render(context) self.failUnless(('Unable to include <a href="/Front_Page">Front Page' '</a>: endless include loop') in html)
def test_include_nonexistant(self): """ Should give an error message when including nonexistant page """ a = Page(name='Front Page') a.content = '<a class="plugin includepage" href="New page">dummy</a>' a.save() context = Context({'page': a}) template = Template(html_to_template_text(a.content, context)) html = template.render(context) self.failUnless(('Unable to include <a href="/New_page"' ' class="missing_link">New page</a>') in html)
def test_include_plugin(self): a = Page(name='Front Page') a.content = '<a class="plugin includepage" href="Explore">dummy</a>' a.save() b = Page(name='Explore') b.content = '<p>Some text</p>' b.save() context = Context({'page': a}) template = Template(html_to_template_text(a.content, context)) html = template.render(context) self.assertEqual(html, '<div><p>Some text</p></div>')
def test_django_tags_escaped(self): html = "<div>{% if 1 %}evil{% endif %}</div>" template_text = html_to_template_text(html) imports = ''.join(tag_imports) self.assertEqual( template_text, imports + "<div>{% if 1 %}evil{% endif %}</div>" ) html = "<div>{{% if 1 %}}evil{{% endif %}}</div>" template_text = html_to_template_text(html) self.assertEqual( template_text, imports + ( "<div>{{% if 1 %}}evil" "{{% endif %}}</div>") ) # malicious use of intermediate sanitization html = "<div>{amp}</div>" template_text = html_to_template_text(html) self.assertEqual( template_text, imports + ( "<div>{amp}</div>") ) # preserves entities html = '<div>&< then {</div>' template_text = html_to_template_text(html) self.assertEqual( template_text, imports + ( "<div>&< then {</div>") )
def test_include_plugin_utf8(self): a = Page(name='Front Page') a.content = (u'<a class="plugin includepage" ' u'href="青平台基金會">dummy</a>') a.save() b = Page(name=u'青平台基金會') b.content = u'<p>青平台基金會</p>' b.save() context = Context({'page': a}) template = Template(html_to_template_text(a.content, context)) html = template.render(context) self.assertEqual(html, u'<div class="included_page_wrapper">' u'<p>青平台基金會</p></div>')
def test_include_showtitle(self): a = Page(name='Front Page') a.content = ('<a class="plugin includepage includepage_showtitle"' ' href="Explore">dummy</a>') a.save() b = Page(name='Explore') b.content = '<p>Some text</p>' b.save() context = Context({'page': a}) template = Template(html_to_template_text(a.content, context)) html = template.render(context) self.assertEqual(html, ('<div><h2><a href="/Explore">Explore</a></h2>' '<p>Some text</p></div>'))
def test_include_width(self): a = Page(name='Front Page') a.content = ('<a class="plugin includepage" style="width: 100px"' ' href="Explore">dummy</a>') a.save() b = Page(name='Explore') b.content = '<p>Some text</p>' b.save() context = Context({'page': a}) template = Template(html_to_template_text(a.content, context)) html = template.render(context) self.assertEqual(html, ('<div class="included_page_wrapper" style="width: 100px;">' '<p>Some text</p></div>'))
def render(self, context): try: html = unicode(self.html_var.resolve(context)) render_context = context if self.nofollow: context['_render_nofollow'] = True t = Template(html_to_template_text(html, context, self.render_plugins)) html = self.render_template(t, context) if self.nofollow: del context['_render_nofollow'] return html except: if settings.TEMPLATE_DEBUG: raise if self.nofollow and '_render_nofollow' in context: del context['_render_nofollow']
def render(self, context): try: html = unicode(self.html_var.resolve(context)) render_context = context if self.nofollow: context['_render_nofollow'] = True t = Template( html_to_template_text(html, context, self.render_plugins)) html = self.render_template(t, context) if self.nofollow: del context['_render_nofollow'] return html except: if settings.TEMPLATE_DEBUG: raise if self.nofollow and '_render_nofollow' in context: del context['_render_nofollow']
def test_double_include(self): """ Multiple includes are ok """ a = Page(name='Front Page') a.content = ('<a class="plugin includepage" href="Explore">dummy</a>' '<a class="plugin includepage" href="Explore">dummy</a>') a.save() b = Page(name='Explore') b.content = '<p>Some text</p>' b.save() context = Context({'page': a}) template = Template(html_to_template_text(a.content, context)) html = template.render(context) self.assertEqual(html, ('<div class="included_page_wrapper"><p>Some text</p></div>' '<div class="included_page_wrapper"><p>Some text</p></div>'))
def get_content(self, context): if not self.page: return (('<p class="plugin includepage">' + _('Unable to include ' '<a href="%(page_url)s" class="missing_link">%(page_name)s</a>') + '</p>') % {'page_url': self.get_page_url(), 'page_name': self.name}) # prevent endless loops context_page = context['page'] include_stack = context.get('_include_stack', []) include_stack.append(context_page.name) if self.page.name in include_stack: return (('<p class="plugin includepage">' + _('Unable to' ' include <a href="%(page_url)s">%(page_name)s</a>: endless include' ' loop.') + '</p>') % {'page_url': self.get_page_url(), 'page_name': self.page.name}) context['_include_stack'] = include_stack context['page'] = self.page template_text = html_to_template_text(self.page.content, context) # restore context context['_include_stack'].pop() context['page'] = context_page return template_text
def get_content(self, context): if not self.page: page_url = reverse('pages:show', args=[name_to_url(self.name)]) return ('<p class="plugin includepage">Unable to include ' '<a href="%s" class="missing_link">%s</a></p>' % (page_url, self.name)) # prevent endless loops context_page = context['page'] include_stack = context.get('_include_stack', []) include_stack.append(context_page.name) if self.page.name in include_stack: return ('<p class="plugin includepage">Unable to' ' include <a href="%s">%s</a>: endless include' ' loop.</p>' % (name_to_url(self.name), self.name)) context['_include_stack'] = include_stack context['page'] = self.page template_text = html_to_template_text(self.page.content, context) # restore context context['_include_stack'].pop() context['page'] = context_page return template_text
def render(self, context): self.process_context(context) try: html = unicode(self.html_var.resolve(context)) wiki = mwparserfromhell.parse(html) for ft in wiki.filter_templates(): wiki.replace(ft, self.render_wiki_template(ft.name, ft.params)) html = unicode(wiki) if self.nofollow: context['_render_nofollow'] = True t = Template(html_to_template_text(html, context, self.render_plugins)) html = self.render_template(t, context) if self.nofollow: del context['_render_nofollow'] if html.find('%% twitter %%') >= 0: html = html.replace('%% twitter %%', u'<a class="twitter-timeline" href="https://twitter.com/lowiki_tw">即時訊息</a>') html = html + ' <script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>' return html except: if settings.TEMPLATE_DEBUG: raise if self.nofollow and '_render_nofollow' in context: del context['_render_nofollow']
def render(self, context): try: try: page = Page.objects.get(slug__exact=slugify(self.page_name)) header = '' if 'showtitle' in self.args: header = ('<h2><a href="%s">%s</a></h2>' % (page.pretty_slug, page.name)) content = header + page.content # prevent endless loops context_page = context['page'] include_stack = context.get('_include_stack', []) include_stack.append(context_page.name) if page.name in include_stack: content = ('<p class="plugin includepage">Unable to' ' include <a href="%s">%s</a>: endless include' ' loop.</p>' % (self.page_name, self.page_name)) context['_include_stack'] = include_stack context['page'] = page template_text = html_to_template_text(content, context) # restore context context['_include_stack'].pop() context['page'] = context_page except Page.DoesNotExist: page_url = reverse('pages:show', args=[name_to_url(self.page_name)]) template_text = ('<p class="plugin includepage">Unable to' ' include <a href="%s" class="missing_link">%s</a></p>' % (page_url, self.page_name)) template = Template(template_text) return self.render_template(template, context) except: if settings.TEMPLATE_DEBUG: raise return ''
def get_content(self, context): if not self.page: return ( '<p class="plugin includepage">' + _("Unable to include " '<a href="%(page_url)s" class="missing_link">%(page_name)s</a>') + "</p>" ) % {"page_url": self.get_page_url(), "page_name": self.name} # prevent endless loops context_page = context["page"] include_stack = context.get("_include_stack", []) include_stack.append(context_page.name) if self.page.name in include_stack: return ( '<p class="plugin includepage">' + _("Unable to" ' include <a href="%(page_url)s">%(page_name)s</a>: endless include' " loop.") + "</p>" ) % {"page_url": self.get_page_url(), "page_name": self.page.name} context["_include_stack"] = include_stack context["page"] = self.page template_text = html_to_template_text(self.page.content, context) # restore context context["_include_stack"].pop() context["page"] = context_page return template_text
def is_exploitable(self, exploit): p = Page(name='XSS Test', content=exploit) p.clean_fields() t = Template(html_to_template_text(p.content)) html = t.render(Context()) return self.contains_script(html)
def test_nbsp_outside_of_element(self): html = u'a\xa0<strong>\xa0</strong>\n' imports = ''.join(tag_imports) template_text = html_to_template_text(html) self.assertEqual(template_text, imports + u'a\xa0<strong>\xa0</strong>\n')
def test_empty_a_element(self): html = '<p><a name="blah"></a></p>' imports = ''.join(tag_imports) template_text = html_to_template_text(html) self.assertEqual(template_text, imports + '<p><a name="blah"></a></p>')
def test_nbsp_outside_of_element(self): html = u'a\xa0<strong>\xa0</strong>\n' imports = ''.join(tag_imports) template_text = html_to_template_text(html) self.assertEqual(template_text, imports + 'a\xc2\xa0<strong>\xc2\xa0</strong>\n')
def test_plaintext(self): html = "No XHTML" imports = ''.join(tag_imports) self.assertEqual(html_to_template_text(html), imports + "No XHTML")