2014-12-07 16:43:10 +08:00
|
|
|
from django.template import TemplateSyntaxError
|
2021-01-14 17:14:57 +08:00
|
|
|
from django.test import SimpleTestCase
|
2014-11-12 09:32:44 +08:00
|
|
|
from django.utils.safestring import mark_safe
|
|
|
|
|
2015-01-28 20:35:27 +08:00
|
|
|
from ..utils import SafeClass, UnsafeClass, setup
|
2014-11-12 09:32:44 +08:00
|
|
|
|
|
|
|
|
2014-12-04 04:36:17 +08:00
|
|
|
class AutoescapeTagTests(SimpleTestCase):
|
2014-11-12 09:32:44 +08:00
|
|
|
@setup({"autoescape-tag01": "{% autoescape off %}hello{% endautoescape %}"})
|
|
|
|
def test_autoescape_tag01(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string("autoescape-tag01")
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, "hello")
|
|
|
|
|
|
|
|
@setup({"autoescape-tag02": "{% autoescape off %}{{ first }}{% endautoescape %}"})
|
|
|
|
def test_autoescape_tag02(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string(
|
|
|
|
"autoescape-tag02", {"first": "<b>hello</b>"}
|
|
|
|
)
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, "<b>hello</b>")
|
|
|
|
|
|
|
|
@setup({"autoescape-tag03": "{% autoescape on %}{{ first }}{% endautoescape %}"})
|
|
|
|
def test_autoescape_tag03(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string(
|
|
|
|
"autoescape-tag03", {"first": "<b>hello</b>"}
|
|
|
|
)
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, "<b>hello</b>")
|
|
|
|
|
|
|
|
# Autoescape disabling and enabling nest in a predictable way.
|
2016-04-08 10:04:45 +08:00
|
|
|
@setup(
|
|
|
|
{
|
|
|
|
"autoescape-tag04": (
|
|
|
|
"{% autoescape off %}{{ first }} {% autoescape on %}{{ first }}"
|
|
|
|
"{% endautoescape %}{% endautoescape %}"
|
2022-02-04 15:08:27 +08:00
|
|
|
)
|
2016-04-08 10:04:45 +08:00
|
|
|
}
|
|
|
|
)
|
2014-11-12 09:32:44 +08:00
|
|
|
def test_autoescape_tag04(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string("autoescape-tag04", {"first": "<a>"})
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, "<a> <a>")
|
|
|
|
|
|
|
|
@setup({"autoescape-tag05": "{% autoescape on %}{{ first }}{% endautoescape %}"})
|
|
|
|
def test_autoescape_tag05(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string(
|
|
|
|
"autoescape-tag05", {"first": "<b>first</b>"}
|
|
|
|
)
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, "<b>first</b>")
|
|
|
|
|
2020-04-18 22:46:05 +08:00
|
|
|
# Strings (ASCII or Unicode) already marked as "safe" are not
|
2014-11-12 09:32:44 +08:00
|
|
|
# auto-escaped
|
|
|
|
@setup({"autoescape-tag06": "{{ first }}"})
|
|
|
|
def test_autoescape_tag06(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string(
|
|
|
|
"autoescape-tag06", {"first": mark_safe("<b>first</b>")}
|
|
|
|
)
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, "<b>first</b>")
|
|
|
|
|
|
|
|
@setup({"autoescape-tag07": "{% autoescape on %}{{ first }}{% endautoescape %}"})
|
|
|
|
def test_autoescape_tag07(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string(
|
|
|
|
"autoescape-tag07", {"first": mark_safe("<b>Apple</b>")}
|
|
|
|
)
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, "<b>Apple</b>")
|
2022-02-04 03:24:19 +08:00
|
|
|
|
2016-04-08 10:04:45 +08:00
|
|
|
@setup(
|
|
|
|
{
|
|
|
|
"autoescape-tag08": (
|
|
|
|
r'{% autoescape on %}{{ var|default_if_none:" endquote\" hah" }}'
|
|
|
|
r"{% endautoescape %}"
|
2022-02-04 15:08:27 +08:00
|
|
|
)
|
2016-04-08 10:04:45 +08:00
|
|
|
}
|
|
|
|
)
|
2014-11-12 09:32:44 +08:00
|
|
|
def test_autoescape_tag08(self):
|
|
|
|
"""
|
|
|
|
Literal string arguments to filters, if used in the result, are safe.
|
|
|
|
"""
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string("autoescape-tag08", {"var": None})
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, ' endquote" hah')
|
|
|
|
|
|
|
|
# Objects which return safe strings as their __str__ method
|
|
|
|
# won't get double-escaped.
|
|
|
|
@setup({"autoescape-tag09": r"{{ unsafe }}"})
|
|
|
|
def test_autoescape_tag09(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string(
|
|
|
|
"autoescape-tag09", {"unsafe": UnsafeClass()}
|
|
|
|
)
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, "you & me")
|
|
|
|
|
|
|
|
@setup({"autoescape-tag10": r"{{ safe }}"})
|
|
|
|
def test_autoescape_tag10(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string("autoescape-tag10", {"safe": SafeClass()})
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, "you > me")
|
2022-02-04 03:24:19 +08:00
|
|
|
|
2014-11-12 09:32:44 +08:00
|
|
|
@setup(
|
2022-02-04 03:24:19 +08:00
|
|
|
{
|
2014-11-12 09:32:44 +08:00
|
|
|
"autoescape-filtertag01": (
|
|
|
|
"{{ first }}{% filter safe %}{{ first }} x<y{% endfilter %}"
|
2022-02-04 15:08:27 +08:00
|
|
|
)
|
2022-02-04 03:24:19 +08:00
|
|
|
}
|
2014-11-12 09:32:44 +08:00
|
|
|
)
|
|
|
|
def test_autoescape_filtertag01(self):
|
|
|
|
"""
|
|
|
|
The "safe" and "escape" filters cannot work due to internal
|
|
|
|
implementation details (fortunately, the (no)autoescape block
|
|
|
|
tags can be used in those cases)
|
|
|
|
"""
|
|
|
|
with self.assertRaises(TemplateSyntaxError):
|
2014-12-07 16:43:10 +08:00
|
|
|
self.engine.render_to_string("autoescape-filtertag01", {"first": "<a>"})
|
2014-11-12 09:32:44 +08:00
|
|
|
|
|
|
|
# Arguments to filters are 'safe' and manipulate their input unescaped.
|
|
|
|
@setup({"autoescape-filters01": '{{ var|cut:"&" }}'})
|
|
|
|
def test_autoescape_filters01(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string(
|
|
|
|
"autoescape-filters01", {"var": "this & that"}
|
|
|
|
)
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, "this that")
|
|
|
|
|
|
|
|
@setup({"autoescape-filters02": '{{ var|join:" & " }}'})
|
|
|
|
def test_autoescape_filters02(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string(
|
|
|
|
"autoescape-filters02", {"var": ("Tom", "Dick", "Harry")}
|
|
|
|
)
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, "Tom & Dick & Harry")
|
|
|
|
|
|
|
|
@setup({"autoescape-literals01": '{{ "this & that" }}'})
|
|
|
|
def test_autoescape_literals01(self):
|
|
|
|
"""
|
|
|
|
Literal strings are safe.
|
|
|
|
"""
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string("autoescape-literals01")
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, "this & that")
|
|
|
|
|
|
|
|
@setup({"autoescape-stringiterations01": "{% for l in var %}{{ l }},{% endfor %}"})
|
|
|
|
def test_autoescape_stringiterations01(self):
|
|
|
|
"""
|
|
|
|
Iterating over strings outputs safe characters.
|
|
|
|
"""
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string(
|
|
|
|
"autoescape-stringiterations01", {"var": "K&R"}
|
|
|
|
)
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, "K,&,R,")
|
|
|
|
|
|
|
|
@setup({"autoescape-lookup01": "{{ var.key }}"})
|
|
|
|
def test_autoescape_lookup01(self):
|
|
|
|
"""
|
|
|
|
Escape requirement survives lookup.
|
|
|
|
"""
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string(
|
|
|
|
"autoescape-lookup01", {"var": {"key": "this & that"}}
|
|
|
|
)
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, "this & that")
|
2022-02-04 03:24:19 +08:00
|
|
|
|
2017-10-02 23:02:58 +08:00
|
|
|
@setup(
|
2022-02-04 03:24:19 +08:00
|
|
|
{
|
2017-10-02 23:02:58 +08:00
|
|
|
"autoescape-incorrect-arg": (
|
|
|
|
"{% autoescape true %}{{ var.key }}{% endautoescape %}"
|
2022-02-04 15:08:27 +08:00
|
|
|
)
|
2022-02-04 03:24:19 +08:00
|
|
|
}
|
2017-10-02 23:02:58 +08:00
|
|
|
)
|
|
|
|
def test_invalid_arg(self):
|
|
|
|
msg = "'autoescape' argument should be 'on' or 'off'"
|
|
|
|
with self.assertRaisesMessage(TemplateSyntaxError, msg):
|
|
|
|
self.engine.render_to_string(
|
|
|
|
"autoescape-incorrect-arg", {"var": {"key": "this & that"}}
|
|
|
|
)
|
|
|
|
|
|
|
|
@setup(
|
|
|
|
{"autoescape-incorrect-arg": "{% autoescape %}{{ var.key }}{% endautoescape %}"}
|
|
|
|
)
|
|
|
|
def test_no_arg(self):
|
|
|
|
msg = "'autoescape' tag requires exactly one argument."
|
|
|
|
with self.assertRaisesMessage(TemplateSyntaxError, msg):
|
|
|
|
self.engine.render_to_string(
|
|
|
|
"autoescape-incorrect-arg", {"var": {"key": "this & that"}}
|
|
|
|
)
|