2013-04-01 22:42:31 +08:00
|
|
|
import os
|
2015-01-28 20:35:27 +08:00
|
|
|
from datetime import datetime
|
2010-09-27 23:15:04 +08:00
|
|
|
|
2015-08-18 22:09:17 +08:00
|
|
|
from django.test import SimpleTestCase
|
2016-12-01 18:38:01 +08:00
|
|
|
from django.utils import html, safestring
|
2013-05-22 23:29:16 +08:00
|
|
|
from django.utils.encoding import force_text
|
2015-11-07 21:30:20 +08:00
|
|
|
from django.utils.functional import lazystr
|
2013-04-01 22:42:31 +08:00
|
|
|
|
2010-09-27 23:15:04 +08:00
|
|
|
|
2015-03-19 04:42:59 +08:00
|
|
|
class TestUtilsHtml(SimpleTestCase):
|
2010-09-27 23:15:04 +08:00
|
|
|
|
|
|
|
|
def check_output(self, function, value, output=None):
|
|
|
|
|
"""
|
2016-10-27 15:53:39 +08:00
|
|
|
function(value) equals output. If output is None, function(value)
|
|
|
|
|
equals value.
|
2010-09-27 23:15:04 +08:00
|
|
|
"""
|
|
|
|
|
if output is None:
|
|
|
|
|
output = value
|
|
|
|
|
self.assertEqual(function(value), output)
|
|
|
|
|
|
|
|
|
|
def test_escape(self):
|
|
|
|
|
f = html.escape
|
|
|
|
|
items = (
|
2013-10-27 03:15:03 +08:00
|
|
|
('&', '&'),
|
2010-09-27 23:15:04 +08:00
|
|
|
('<', '<'),
|
|
|
|
|
('>', '>'),
|
|
|
|
|
('"', '"'),
|
|
|
|
|
("'", '''),
|
|
|
|
|
)
|
|
|
|
|
# Substitution patterns for testing the above items.
|
|
|
|
|
patterns = ("%s", "asdf%sfdsa", "%s1", "1%sb")
|
|
|
|
|
for value, output in items:
|
|
|
|
|
for pattern in patterns:
|
|
|
|
|
self.check_output(f, pattern % value, pattern % output)
|
2015-11-07 21:30:20 +08:00
|
|
|
self.check_output(f, lazystr(pattern % value), pattern % output)
|
2010-09-27 23:15:04 +08:00
|
|
|
# Check repeated values.
|
|
|
|
|
self.check_output(f, value * 2, output * 2)
|
|
|
|
|
# Verify it doesn't double replace &.
|
|
|
|
|
self.check_output(f, '<&', '<&')
|
|
|
|
|
|
2012-07-01 01:54:38 +08:00
|
|
|
def test_format_html(self):
|
|
|
|
|
self.assertEqual(
|
2014-11-27 08:41:27 +08:00
|
|
|
html.format_html("{} {} {third} {fourth}",
|
2012-07-20 18:29:22 +08:00
|
|
|
"< Dangerous >",
|
|
|
|
|
html.mark_safe("<b>safe</b>"),
|
2012-07-01 01:54:38 +08:00
|
|
|
third="< dangerous again",
|
2012-07-20 18:29:22 +08:00
|
|
|
fourth=html.mark_safe("<i>safe again</i>")
|
2012-07-01 01:54:38 +08:00
|
|
|
),
|
2012-07-20 18:29:22 +08:00
|
|
|
"< Dangerous > <b>safe</b> < dangerous again <i>safe again</i>"
|
2013-10-18 17:02:43 +08:00
|
|
|
)
|
2012-07-01 01:54:38 +08:00
|
|
|
|
2010-09-27 23:15:04 +08:00
|
|
|
def test_linebreaks(self):
|
|
|
|
|
f = html.linebreaks
|
|
|
|
|
items = (
|
|
|
|
|
("para1\n\npara2\r\rpara3", "<p>para1</p>\n\n<p>para2</p>\n\n<p>para3</p>"),
|
|
|
|
|
("para1\nsub1\rsub2\n\npara2", "<p>para1<br />sub1<br />sub2</p>\n\n<p>para2</p>"),
|
|
|
|
|
("para1\r\n\r\npara2\rsub1\r\rpara4", "<p>para1</p>\n\n<p>para2<br />sub1</p>\n\n<p>para4</p>"),
|
|
|
|
|
("para1\tmore\n\npara2", "<p>para1\tmore</p>\n\n<p>para2</p>"),
|
|
|
|
|
)
|
|
|
|
|
for value, output in items:
|
|
|
|
|
self.check_output(f, value, output)
|
2015-11-07 21:30:20 +08:00
|
|
|
self.check_output(f, lazystr(value), output)
|
2010-09-27 23:15:04 +08:00
|
|
|
|
|
|
|
|
def test_strip_tags(self):
|
|
|
|
|
f = html.strip_tags
|
|
|
|
|
items = (
|
2013-05-22 23:29:16 +08:00
|
|
|
('<p>See: 'é is an apostrophe followed by e acute</p>',
|
|
|
|
|
'See: 'é is an apostrophe followed by e acute'),
|
2010-09-27 23:15:04 +08:00
|
|
|
('<adf>a', 'a'),
|
|
|
|
|
('</adf>a', 'a'),
|
|
|
|
|
('<asdf><asdf>e', 'e'),
|
2013-05-22 23:29:16 +08:00
|
|
|
('hi, <f x', 'hi, <f x'),
|
2013-05-23 20:00:17 +08:00
|
|
|
('234<235, right?', '234<235, right?'),
|
|
|
|
|
('a4<a5 right?', 'a4<a5 right?'),
|
|
|
|
|
('b7>b2!', 'b7>b2!'),
|
2010-09-27 23:15:04 +08:00
|
|
|
('</fe', '</fe'),
|
|
|
|
|
('<x>b<y>', 'b'),
|
2012-11-24 19:10:25 +08:00
|
|
|
('a<p onclick="alert(\'<test>\')">b</p>c', 'abc'),
|
|
|
|
|
('a<p a >b</p>c', 'abc'),
|
|
|
|
|
('d<a:b c:d>e</p>f', 'def'),
|
2013-02-07 04:20:43 +08:00
|
|
|
('<strong>foo</strong><a href="http://example.com">bar</a>', 'foobar'),
|
2015-03-04 21:11:25 +08:00
|
|
|
# caused infinite loop on Pythons not patched with
|
|
|
|
|
# http://bugs.python.org/issue20288
|
|
|
|
|
('&gotcha&#;<>', '&gotcha&#;<>'),
|
2010-09-27 23:15:04 +08:00
|
|
|
)
|
|
|
|
|
for value, output in items:
|
|
|
|
|
self.check_output(f, value, output)
|
2015-11-07 21:30:20 +08:00
|
|
|
self.check_output(f, lazystr(value), output)
|
2010-09-27 23:15:04 +08:00
|
|
|
|
2014-03-22 21:41:45 +08:00
|
|
|
# Some convoluted syntax for which parsing may differ between python versions
|
|
|
|
|
output = html.strip_tags('<sc<!-- -->ript>test<<!-- -->/script>')
|
|
|
|
|
self.assertNotIn('<script>', output)
|
|
|
|
|
self.assertIn('test', output)
|
|
|
|
|
output = html.strip_tags('<script>alert()</script>&h')
|
|
|
|
|
self.assertNotIn('<script>', output)
|
|
|
|
|
self.assertIn('alert()', output)
|
|
|
|
|
|
2013-04-01 22:42:31 +08:00
|
|
|
# Test with more lengthy content (also catching performance regressions)
|
|
|
|
|
for filename in ('strip_tags1.html', 'strip_tags2.txt'):
|
2017-01-20 21:01:02 +08:00
|
|
|
path = os.path.join(os.path.dirname(__file__), 'files', filename)
|
2013-04-01 22:42:31 +08:00
|
|
|
with open(path, 'r') as fp:
|
2013-05-22 23:29:16 +08:00
|
|
|
content = force_text(fp.read())
|
2013-04-01 22:42:31 +08:00
|
|
|
start = datetime.now()
|
2013-05-22 23:29:16 +08:00
|
|
|
stripped = html.strip_tags(content)
|
2013-04-01 22:42:31 +08:00
|
|
|
elapsed = datetime.now() - start
|
|
|
|
|
self.assertEqual(elapsed.seconds, 0)
|
|
|
|
|
self.assertIn("Please try again.", stripped)
|
|
|
|
|
self.assertNotIn('<', stripped)
|
|
|
|
|
|
2010-09-27 23:15:04 +08:00
|
|
|
def test_strip_spaces_between_tags(self):
|
|
|
|
|
f = html.strip_spaces_between_tags
|
|
|
|
|
# Strings that should come out untouched.
|
|
|
|
|
items = (' <adf>', '<adf> ', ' </adf> ', ' <f> x</f>')
|
|
|
|
|
for value in items:
|
|
|
|
|
self.check_output(f, value)
|
2015-11-07 21:30:20 +08:00
|
|
|
self.check_output(f, lazystr(value))
|
2010-09-27 23:15:04 +08:00
|
|
|
# Strings that have spaces to strip.
|
|
|
|
|
items = (
|
|
|
|
|
('<d> </d>', '<d></d>'),
|
|
|
|
|
('<p>hello </p>\n<p> world</p>', '<p>hello </p><p> world</p>'),
|
|
|
|
|
('\n<p>\t</p>\n<p> </p>\n', '\n<p></p><p></p>\n'),
|
|
|
|
|
)
|
|
|
|
|
for value, output in items:
|
|
|
|
|
self.check_output(f, value, output)
|
2015-11-07 21:30:20 +08:00
|
|
|
self.check_output(f, lazystr(value), output)
|
2010-09-27 23:15:04 +08:00
|
|
|
|
2011-01-03 01:34:52 +08:00
|
|
|
def test_escapejs(self):
|
|
|
|
|
f = html.escapejs
|
|
|
|
|
items = (
|
2012-06-08 00:08:47 +08:00
|
|
|
('"double quotes" and \'single quotes\'', '\\u0022double quotes\\u0022 and \\u0027single quotes\\u0027'),
|
|
|
|
|
(r'\ : backslashes, too', '\\u005C : backslashes, too'),
|
2015-09-12 07:33:12 +08:00
|
|
|
(
|
|
|
|
|
'and lots of whitespace: \r\n\t\v\f\b',
|
|
|
|
|
'and lots of whitespace: \\u000D\\u000A\\u0009\\u000B\\u000C\\u0008'
|
|
|
|
|
),
|
2012-06-08 00:08:47 +08:00
|
|
|
(r'<script>and this</script>', '\\u003Cscript\\u003Eand this\\u003C/script\\u003E'),
|
2015-09-12 07:33:12 +08:00
|
|
|
(
|
|
|
|
|
'paragraph separator:\u2029and line separator:\u2028',
|
|
|
|
|
'paragraph separator:\\u2029and line separator:\\u2028'
|
|
|
|
|
),
|
2011-01-03 01:34:52 +08:00
|
|
|
)
|
|
|
|
|
for value, output in items:
|
|
|
|
|
self.check_output(f, value, output)
|
2015-11-07 21:30:20 +08:00
|
|
|
self.check_output(f, lazystr(value), output)
|
2011-04-28 22:08:53 +08:00
|
|
|
|
2013-07-28 16:05:39 +08:00
|
|
|
def test_smart_urlquote(self):
|
|
|
|
|
quote = html.smart_urlquote
|
2016-10-27 15:53:39 +08:00
|
|
|
# IDNs are properly quoted
|
2013-07-28 16:05:39 +08:00
|
|
|
self.assertEqual(quote('http://öäü.com/'), 'http://xn--4ca9at.com/')
|
|
|
|
|
self.assertEqual(quote('http://öäü.com/öäü/'), 'http://xn--4ca9at.com/%C3%B6%C3%A4%C3%BC/')
|
2016-10-27 15:53:39 +08:00
|
|
|
# Everything unsafe is quoted, !*'();:@&=+$,/?#[]~ is considered safe as per RFC
|
2013-07-28 16:05:39 +08:00
|
|
|
self.assertEqual(quote('http://example.com/path/öäü/'), 'http://example.com/path/%C3%B6%C3%A4%C3%BC/')
|
|
|
|
|
self.assertEqual(quote('http://example.com/%C3%B6/ä/'), 'http://example.com/%C3%B6/%C3%A4/')
|
2014-06-27 03:14:30 +08:00
|
|
|
self.assertEqual(quote('http://example.com/?x=1&y=2+3&z='), 'http://example.com/?x=1&y=2+3&z=')
|
2014-08-09 18:44:48 +08:00
|
|
|
self.assertEqual(quote('http://example.com/?x=<>"\''), 'http://example.com/?x=%3C%3E%22%27')
|
2014-06-27 03:14:30 +08:00
|
|
|
self.assertEqual(quote('http://example.com/?q=http://example.com/?x=1%26q=django'),
|
|
|
|
|
'http://example.com/?q=http%3A%2F%2Fexample.com%2F%3Fx%3D1%26q%3Ddjango')
|
|
|
|
|
self.assertEqual(quote('http://example.com/?q=http%3A%2F%2Fexample.com%2F%3Fx%3D1%26q%3Ddjango'),
|
|
|
|
|
'http://example.com/?q=http%3A%2F%2Fexample.com%2F%3Fx%3D1%26q%3Ddjango')
|
2013-10-15 06:40:52 +08:00
|
|
|
|
|
|
|
|
def test_conditional_escape(self):
|
|
|
|
|
s = '<h1>interop</h1>'
|
|
|
|
|
self.assertEqual(html.conditional_escape(s),
|
|
|
|
|
'<h1>interop</h1>')
|
|
|
|
|
self.assertEqual(html.conditional_escape(safestring.mark_safe(s)), s)
|
2015-03-19 04:42:59 +08:00
|
|
|
|
|
|
|
|
def test_html_safe(self):
|
|
|
|
|
@html.html_safe
|
2017-01-19 15:39:46 +08:00
|
|
|
class HtmlClass:
|
2016-12-01 18:38:01 +08:00
|
|
|
def __str__(self):
|
|
|
|
|
return "<h1>I'm a html class!</h1>"
|
2015-03-19 04:42:59 +08:00
|
|
|
|
|
|
|
|
html_obj = HtmlClass()
|
|
|
|
|
self.assertTrue(hasattr(HtmlClass, '__html__'))
|
|
|
|
|
self.assertTrue(hasattr(html_obj, '__html__'))
|
|
|
|
|
self.assertEqual(force_text(html_obj), html_obj.__html__())
|
|
|
|
|
|
|
|
|
|
def test_html_safe_subclass(self):
|
2017-01-19 15:39:46 +08:00
|
|
|
class BaseClass:
|
2016-12-01 18:38:01 +08:00
|
|
|
def __html__(self):
|
|
|
|
|
# defines __html__ on its own
|
|
|
|
|
return 'some html content'
|
2015-03-19 04:42:59 +08:00
|
|
|
|
2016-12-01 18:38:01 +08:00
|
|
|
def __str__(self):
|
|
|
|
|
return 'some non html content'
|
2015-03-19 04:42:59 +08:00
|
|
|
|
2016-12-01 18:38:01 +08:00
|
|
|
@html.html_safe
|
|
|
|
|
class Subclass(BaseClass):
|
|
|
|
|
def __str__(self):
|
|
|
|
|
# overrides __str__ and is marked as html_safe
|
|
|
|
|
return 'some html safe content'
|
2015-03-19 04:42:59 +08:00
|
|
|
|
|
|
|
|
subclass_obj = Subclass()
|
|
|
|
|
self.assertEqual(force_text(subclass_obj), subclass_obj.__html__())
|
|
|
|
|
|
|
|
|
|
def test_html_safe_defines_html_error(self):
|
|
|
|
|
msg = "can't apply @html_safe to HtmlClass because it defines __html__()."
|
|
|
|
|
with self.assertRaisesMessage(ValueError, msg):
|
|
|
|
|
@html.html_safe
|
2017-01-19 15:39:46 +08:00
|
|
|
class HtmlClass:
|
2015-03-19 04:42:59 +08:00
|
|
|
def __html__(self):
|
|
|
|
|
return "<h1>I'm a html class!</h1>"
|
|
|
|
|
|
|
|
|
|
def test_html_safe_doesnt_define_str(self):
|
2016-12-01 18:38:01 +08:00
|
|
|
msg = "can't apply @html_safe to HtmlClass because it doesn't define __str__()."
|
2015-03-19 04:42:59 +08:00
|
|
|
with self.assertRaisesMessage(ValueError, msg):
|
|
|
|
|
@html.html_safe
|
2017-01-19 15:39:46 +08:00
|
|
|
class HtmlClass:
|
2015-03-19 04:42:59 +08:00
|
|
|
pass
|
