django/tests/utils_tests/test_safestring.py

from __future__ import unicode_literals

from django.template import Context, Template
from django.test import SimpleTestCase, ignore_warnings
from django.utils import html, six, text
from django.utils.deprecation import RemovedInDjango20Warning
from django.utils.encoding import force_bytes
from django.utils.functional import lazy, lazystr
from django.utils.safestring import (
    EscapeData, SafeData, mark_for_escaping, mark_safe,
)

lazybytes = lazy(force_bytes, bytes)


class customescape(six.text_type):
    def __html__(self):
        # implement specific and obviously wrong escaping
        # in order to be able to tell for sure when it runs
        return self.replace('<', '<<').replace('>', '>>')


class SafeStringTest(SimpleTestCase):
    def assertRenderEqual(self, tpl, expected, **context):
        context = Context(context)
        tpl = Template(tpl)
        self.assertEqual(tpl.render(context), expected)

    def test_mark_safe(self):
        s = mark_safe('a&b')

        self.assertRenderEqual('{{ s }}', 'a&b', s=s)
        self.assertRenderEqual('{{ s|force_escape }}', 'a&amp;b', s=s)

    def test_mark_safe_object_implementing_dunder_html(self):
        e = customescape('<a&b>')
        s = mark_safe(e)
        self.assertIs(s, e)

        self.assertRenderEqual('{{ s }}', '<<a&b>>', s=s)
        self.assertRenderEqual('{{ s|force_escape }}', '&lt;a&amp;b&gt;', s=s)

    def test_mark_safe_lazy(self):
        s = lazystr('a&b')
        b = lazybytes(b'a&b')

        self.assertIsInstance(mark_safe(s), SafeData)
        self.assertIsInstance(mark_safe(b), SafeData)
        self.assertRenderEqual('{{ s }}', 'a&b', s=mark_safe(s))

    def test_mark_safe_object_implementing_dunder_str(self):
        class Obj(object):
            def __str__(self):
                return '<obj>'

        s = mark_safe(Obj())

        self.assertRenderEqual('{{ s }}', '<obj>', s=s)

    def test_mark_safe_result_implements_dunder_html(self):
        self.assertEqual(mark_safe('a&b').__html__(), 'a&b')

    def test_mark_safe_lazy_result_implements_dunder_html(self):
        self.assertEqual(mark_safe(lazystr('a&b')).__html__(), 'a&b')

    @ignore_warnings(category=RemovedInDjango20Warning)
    def test_mark_for_escaping(self):
        s = mark_for_escaping('a&b')
        self.assertRenderEqual('{{ s }}', 'a&amp;b', s=s)
        self.assertRenderEqual('{{ s }}', 'a&amp;b', s=mark_for_escaping(s))

    @ignore_warnings(category=RemovedInDjango20Warning)
    def test_mark_for_escaping_object_implementing_dunder_html(self):
        e = customescape('<a&b>')
        s = mark_for_escaping(e)
        self.assertIs(s, e)

        self.assertRenderEqual('{{ s }}', '<<a&b>>', s=s)
        self.assertRenderEqual('{{ s|force_escape }}', '&lt;a&amp;b&gt;', s=s)

    @ignore_warnings(category=RemovedInDjango20Warning)
    def test_mark_for_escaping_lazy(self):
        s = lazystr('a&b')
        b = lazybytes(b'a&b')

        self.assertIsInstance(mark_for_escaping(s), EscapeData)
        self.assertIsInstance(mark_for_escaping(b), EscapeData)
        self.assertRenderEqual('{% autoescape off %}{{ s }}{% endautoescape %}', 'a&amp;b', s=mark_for_escaping(s))

    @ignore_warnings(category=RemovedInDjango20Warning)
    def test_mark_for_escaping_object_implementing_dunder_str(self):
        class Obj(object):
            def __str__(self):
                return '<obj>'

        s = mark_for_escaping(Obj())

        self.assertRenderEqual('{{ s }}', '&lt;obj&gt;', s=s)

    def test_add_lazy_safe_text_and_safe_text(self):
        s = html.escape(lazystr('a'))
        s += mark_safe('&b')
        self.assertRenderEqual('{{ s }}', 'a&b', s=s)

        s = html.escapejs(lazystr('a'))
        s += mark_safe('&b')
        self.assertRenderEqual('{{ s }}', 'a&b', s=s)

        s = text.slugify(lazystr('a'))
        s += mark_safe('&b')
        self.assertRenderEqual('{{ s }}', 'a&b', s=s)

    def test_mark_safe_as_decorator(self):
        """
        mark_safe used as a decorator leaves the result of a function
        unchanged.
        """
        def clean_string_provider():
            return '<html><body>dummy</body></html>'

        self.assertEqual(mark_safe(clean_string_provider)(), clean_string_provider())

    def test_mark_safe_decorator_does_not_affect_dunder_html(self):
        """
        mark_safe doesn't affect a callable that has an __html__() method.
        """
        class SafeStringContainer:
            def __html__(self):
                return '<html></html>'

        self.assertIs(mark_safe(SafeStringContainer), SafeStringContainer)

    def test_mark_safe_decorator_does_not_affect_promises(self):
        """
        mark_safe doesn't affect lazy strings (Promise objects).
        """
        def html_str():
            return '<html></html>'

        lazy_str = lazy(html_str, str)()
        self.assertEqual(mark_safe(lazy_str), html_str())
Removed most of absolute_import imports Should be unneeded with Python 2.7 and up. Added some unicode_literals along the way. 2013-07-30 01:19:04 +08:00			`from __future__ import unicode_literals`
Fixed #20296 -- Allowed SafeData and EscapeData to be lazy 2013-04-20 19:38:14 +08:00
Sorted imports with isort; refs #23860. 2015-01-28 20:35:27 +08:00			`from django.template import Context, Template`
Fixed #24046 -- Deprecated the "escape" half of utils.safestring. 2016-05-11 00:46:47 +08:00			`from django.test import SimpleTestCase, ignore_warnings`
Sorted imports with isort; refs #23860. 2015-01-28 20:35:27 +08:00			`from django.utils import html, six, text`
Fixed #24046 -- Deprecated the "escape" half of utils.safestring. 2016-05-11 00:46:47 +08:00			`from django.utils.deprecation import RemovedInDjango20Warning`
Fixed #20223 -- Added keep_lazy() as a replacement for allow_lazy(). Thanks to bmispelon and uruz for the initial patch. 2015-11-07 21:30:20 +08:00			`from django.utils.encoding import force_bytes`
			`from django.utils.functional import lazy, lazystr`
Sorted imports with isort; refs #23860. 2015-01-28 20:35:27 +08:00			`from django.utils.safestring import (`
			`EscapeData, SafeData, mark_for_escaping, mark_safe,`
			`)`
Fixed #20296 -- Allowed SafeData and EscapeData to be lazy 2013-04-20 19:38:14 +08:00
			`lazybytes = lazy(force_bytes, bytes)`


Fixed #23831 -- Supported strings escaped by third-party libs in Django. Refs #7261 -- Made strings escaped by Django usable in third-party libs. The changes in mark_safe and mark_for_escaping are straightforward. The more tricky part is to handle correctly objects that implement __html__. Historically escape() has escaped SafeData. Even if that doesn't seem a good behavior, changing it would create security concerns. Therefore support for __html__() was only added to conditional_escape() where this concern doesn't exist. Then using conditional_escape() instead of escape() in the Django template engine makes it understand data escaped by other libraries. Template filter \|escape accounts for __html__() when it's available. \|force_escape forces the use of Django's HTML escaping implementation. Here's why the change in render_value_in_context() is safe. Before Django 1.7 conditional_escape() was implemented as follows: if isinstance(text, SafeData): return text else: return escape(text) render_value_in_context() never called escape() on SafeData. Therefore replacing escape() with conditional_escape() doesn't change the autoescaping logic as it was originally intended. This change should be backported to Django 1.7 because it corrects a feature added in Django 1.7. Thanks mitsuhiko for the report. 2014-12-24 05:29:01 +08:00			`class customescape(six.text_type):`
			`def __html__(self):`
			`# implement specific and obviously wrong escaping`
			`# in order to be able to tell for sure when it runs`
			`return self.replace('<', '<<').replace('>', '>>')`


Refs #24652 -- Used SimpleTestCase where appropriate. 2015-04-18 05:38:20 +08:00			`class SafeStringTest(SimpleTestCase):`
Fixed #20296 -- Allowed SafeData and EscapeData to be lazy 2013-04-20 19:38:14 +08:00			`def assertRenderEqual(self, tpl, expected, **context):`
			`context = Context(context)`
			`tpl = Template(tpl)`
			`self.assertEqual(tpl.render(context), expected)`

			`def test_mark_safe(self):`
			`s = mark_safe('a&b')`

			`self.assertRenderEqual('{{ s }}', 'a&b', s=s)`
			`self.assertRenderEqual('{{ s\|force_escape }}', 'a&b', s=s)`

Fixed #23831 -- Supported strings escaped by third-party libs in Django. Refs #7261 -- Made strings escaped by Django usable in third-party libs. The changes in mark_safe and mark_for_escaping are straightforward. The more tricky part is to handle correctly objects that implement __html__. Historically escape() has escaped SafeData. Even if that doesn't seem a good behavior, changing it would create security concerns. Therefore support for __html__() was only added to conditional_escape() where this concern doesn't exist. Then using conditional_escape() instead of escape() in the Django template engine makes it understand data escaped by other libraries. Template filter \|escape accounts for __html__() when it's available. \|force_escape forces the use of Django's HTML escaping implementation. Here's why the change in render_value_in_context() is safe. Before Django 1.7 conditional_escape() was implemented as follows: if isinstance(text, SafeData): return text else: return escape(text) render_value_in_context() never called escape() on SafeData. Therefore replacing escape() with conditional_escape() doesn't change the autoescaping logic as it was originally intended. This change should be backported to Django 1.7 because it corrects a feature added in Django 1.7. Thanks mitsuhiko for the report. 2014-12-24 05:29:01 +08:00			`def test_mark_safe_object_implementing_dunder_html(self):`
			`e = customescape('<a&b>')`
			`s = mark_safe(e)`
			`self.assertIs(s, e)`

			`self.assertRenderEqual('{{ s }}', '<<a&b>>', s=s)`
			`self.assertRenderEqual('{{ s\|force_escape }}', '<a&b>', s=s)`

Fixed #20296 -- Allowed SafeData and EscapeData to be lazy 2013-04-20 19:38:14 +08:00			`def test_mark_safe_lazy(self):`
			`s = lazystr('a&b')`
			`b = lazybytes(b'a&b')`

Revert "Fixed #20296 -- Allowed SafeData and EscapeData to be lazy" This reverts commit 2ee447fb5f8974b432d3dd421af9a242215aea44. That commit introduced a regression (#21882) and didn't really do what it was supposed to: while it did delay the evaluation of lazy objects passed to mark_safe(), they weren't actually marked as such so they could end up being escaped twice. Refs #21882. 2014-02-05 12:16:39 +08:00			`self.assertIsInstance(mark_safe(s), SafeData)`
			`self.assertIsInstance(mark_safe(b), SafeData)`
Fixed #20296 -- Allowed SafeData and EscapeData to be lazy 2013-04-20 19:38:14 +08:00			`self.assertRenderEqual('{{ s }}', 'a&b', s=mark_safe(s))`

Fixed an inconsistency introduced in 547b1810. mark_safe and mark_for_escaping should have been kept similar. On Python 2 this change has no effect. On Python 3 it fixes the use case shown in the regression test for mark_for_escaping, which used to raise a TypeError. The regression test for mark_safe is just for completeness. 2014-12-24 04:49:05 +08:00			`def test_mark_safe_object_implementing_dunder_str(self):`
			`class Obj(object):`
			`def __str__(self):`
			`return '<obj>'`

			`s = mark_safe(Obj())`

			`self.assertRenderEqual('{{ s }}', '<obj>', s=s)`

Fixed #23831 -- Supported strings escaped by third-party libs in Django. Refs #7261 -- Made strings escaped by Django usable in third-party libs. The changes in mark_safe and mark_for_escaping are straightforward. The more tricky part is to handle correctly objects that implement __html__. Historically escape() has escaped SafeData. Even if that doesn't seem a good behavior, changing it would create security concerns. Therefore support for __html__() was only added to conditional_escape() where this concern doesn't exist. Then using conditional_escape() instead of escape() in the Django template engine makes it understand data escaped by other libraries. Template filter \|escape accounts for __html__() when it's available. \|force_escape forces the use of Django's HTML escaping implementation. Here's why the change in render_value_in_context() is safe. Before Django 1.7 conditional_escape() was implemented as follows: if isinstance(text, SafeData): return text else: return escape(text) render_value_in_context() never called escape() on SafeData. Therefore replacing escape() with conditional_escape() doesn't change the autoescaping logic as it was originally intended. This change should be backported to Django 1.7 because it corrects a feature added in Django 1.7. Thanks mitsuhiko for the report. 2014-12-24 05:29:01 +08:00			`def test_mark_safe_result_implements_dunder_html(self):`
			`self.assertEqual(mark_safe('a&b').__html__(), 'a&b')`

			`def test_mark_safe_lazy_result_implements_dunder_html(self):`
			`self.assertEqual(mark_safe(lazystr('a&b')).__html__(), 'a&b')`

Fixed #24046 -- Deprecated the "escape" half of utils.safestring. 2016-05-11 00:46:47 +08:00			`@ignore_warnings(category=RemovedInDjango20Warning)`
Fixed #20296 -- Allowed SafeData and EscapeData to be lazy 2013-04-20 19:38:14 +08:00			`def test_mark_for_escaping(self):`
			`s = mark_for_escaping('a&b')`
			`self.assertRenderEqual('{{ s }}', 'a&b', s=s)`
			`self.assertRenderEqual('{{ s }}', 'a&b', s=mark_for_escaping(s))`

Fixed #24046 -- Deprecated the "escape" half of utils.safestring. 2016-05-11 00:46:47 +08:00			`@ignore_warnings(category=RemovedInDjango20Warning)`
Fixed #23831 -- Supported strings escaped by third-party libs in Django. Refs #7261 -- Made strings escaped by Django usable in third-party libs. The changes in mark_safe and mark_for_escaping are straightforward. The more tricky part is to handle correctly objects that implement __html__. Historically escape() has escaped SafeData. Even if that doesn't seem a good behavior, changing it would create security concerns. Therefore support for __html__() was only added to conditional_escape() where this concern doesn't exist. Then using conditional_escape() instead of escape() in the Django template engine makes it understand data escaped by other libraries. Template filter \|escape accounts for __html__() when it's available. \|force_escape forces the use of Django's HTML escaping implementation. Here's why the change in render_value_in_context() is safe. Before Django 1.7 conditional_escape() was implemented as follows: if isinstance(text, SafeData): return text else: return escape(text) render_value_in_context() never called escape() on SafeData. Therefore replacing escape() with conditional_escape() doesn't change the autoescaping logic as it was originally intended. This change should be backported to Django 1.7 because it corrects a feature added in Django 1.7. Thanks mitsuhiko for the report. 2014-12-24 05:29:01 +08:00			`def test_mark_for_escaping_object_implementing_dunder_html(self):`
			`e = customescape('<a&b>')`
			`s = mark_for_escaping(e)`
			`self.assertIs(s, e)`

			`self.assertRenderEqual('{{ s }}', '<<a&b>>', s=s)`
			`self.assertRenderEqual('{{ s\|force_escape }}', '<a&b>', s=s)`

Fixed #24046 -- Deprecated the "escape" half of utils.safestring. 2016-05-11 00:46:47 +08:00			`@ignore_warnings(category=RemovedInDjango20Warning)`
Fixed #20296 -- Allowed SafeData and EscapeData to be lazy 2013-04-20 19:38:14 +08:00			`def test_mark_for_escaping_lazy(self):`
			`s = lazystr('a&b')`
			`b = lazybytes(b'a&b')`

Revert "Fixed #20296 -- Allowed SafeData and EscapeData to be lazy" This reverts commit 2ee447fb5f8974b432d3dd421af9a242215aea44. That commit introduced a regression (#21882) and didn't really do what it was supposed to: while it did delay the evaluation of lazy objects passed to mark_safe(), they weren't actually marked as such so they could end up being escaped twice. Refs #21882. 2014-02-05 12:16:39 +08:00			`self.assertIsInstance(mark_for_escaping(s), EscapeData)`
			`self.assertIsInstance(mark_for_escaping(b), EscapeData)`
Fixed #20296 -- Allowed SafeData and EscapeData to be lazy 2013-04-20 19:38:14 +08:00			`self.assertRenderEqual('{% autoescape off %}{{ s }}{% endautoescape %}', 'a&b', s=mark_for_escaping(s))`

Fixed #24046 -- Deprecated the "escape" half of utils.safestring. 2016-05-11 00:46:47 +08:00			`@ignore_warnings(category=RemovedInDjango20Warning)`
Fixed an inconsistency introduced in 547b1810. mark_safe and mark_for_escaping should have been kept similar. On Python 2 this change has no effect. On Python 3 it fixes the use case shown in the regression test for mark_for_escaping, which used to raise a TypeError. The regression test for mark_safe is just for completeness. 2014-12-24 04:49:05 +08:00			`def test_mark_for_escaping_object_implementing_dunder_str(self):`
			`class Obj(object):`
			`def __str__(self):`
			`return '<obj>'`

			`s = mark_for_escaping(Obj())`

			`self.assertRenderEqual('{{ s }}', '<obj>', s=s)`

Fixed #20221 -- Allowed some functions that use mark_safe() to result in SafeText. Thanks Baptiste Mispelon for the report. 2014-10-16 09:03:40 +08:00			`def test_add_lazy_safe_text_and_safe_text(self):`
			`s = html.escape(lazystr('a'))`
			`s += mark_safe('&b')`
			`self.assertRenderEqual('{{ s }}', 'a&b', s=s)`

			`s = html.escapejs(lazystr('a'))`
			`s += mark_safe('&b')`
			`self.assertRenderEqual('{{ s }}', 'a&b', s=s)`

			`s = text.slugify(lazystr('a'))`
			`s += mark_safe('&b')`
			`self.assertRenderEqual('{{ s }}', 'a&b', s=s)`
Fixed #10107 -- Allowed using mark_safe() as a decorator. Thanks ArcTanSusan for the initial patch. 2016-06-03 05:11:43 +08:00
			`def test_mark_safe_as_decorator(self):`
			`"""`
			`mark_safe used as a decorator leaves the result of a function`
			`unchanged.`
			`"""`
			`def clean_string_provider():`
			`return '<html><body>dummy</body></html>'`

			`self.assertEqual(mark_safe(clean_string_provider)(), clean_string_provider())`

			`def test_mark_safe_decorator_does_not_affect_dunder_html(self):`
			`"""`
			`mark_safe doesn't affect a callable that has an __html__() method.`
			`"""`
			`class SafeStringContainer:`
			`def __html__(self):`
			`return '<html></html>'`

			`self.assertIs(mark_safe(SafeStringContainer), SafeStringContainer)`

			`def test_mark_safe_decorator_does_not_affect_promises(self):`
			`"""`
			`mark_safe doesn't affect lazy strings (Promise objects).`
			`"""`
			`def html_str():`
			`return '<html></html>'`

			`lazy_str = lazy(html_str, str)()`
			`self.assertEqual(mark_safe(lazy_str), html_str())`