"""More advanced security tests""" from nose.tools import eq_ from bleach import clean def test_nested_script_tag(): eq_('<<script>script>evil()<</script>/script>', clean('</script>')) eq_('<<x>script>evil()<</x>/script>', clean('<script>evil()</script>')) def test_nested_script_tag_r(): eq_('<script<script>>evil()</script<>>', clean('>evil()>')) def test_invalid_attr(): IMG = ['img', ] IMG_ATTR = ['src'] eq_('test', clean('test')) eq_('', clean('', tags=IMG, attributes=IMG_ATTR)) eq_('', clean('', tags=IMG, attributes=IMG_ATTR)) def test_unquoted_attr(): eq_('myabbr', clean('myabbr')) def test_unquoted_event_handler(): eq_('xx.com', clean('xx.com')) def test_invalid_attr_value(): eq_('<img src="javascript:alert(\'XSS\');">', clean('')) def test_invalid_href_attr(): eq_('xss', clean('xss')) def test_invalid_filter_attr(): IMG = ['img', ] IMG_ATTR = {'img': lambda n, v: n == 'src' and v == "http://example.com/"} eq_('', clean('', tags=IMG, attributes=IMG_ATTR)) eq_('', clean('', tags=IMG, attributes=IMG_ATTR)) def test_invalid_tag_char(): eq_('<script xss="" src="http://xx.com/xss.js"></script>', clean('')) eq_('<script src="http://xx.com/xss.js"></script>', clean('')) def test_unclosed_tag(): eq_('<script src="http://xx.com/xss.js&lt;b">', clean('ipt>' eq_('pt>alert(1)ipt>', clean(s, strip=True)) s = 'pt>pt>alert(1)' eq_('pt>pt>alert(1)', clean(s, strip=True)) def test_nasty(): """Nested, broken up, multiple tags, are still foiled!""" test = ('ipt type="text/javascript">alert("foo");script>') expect = (u'<scr<script></script>ipt type="text/javascript"' u'>alert("foo");</script>script<del></del>' u'>') eq_(expect, clean(test)) def test_poster_attribute(): """Poster attributes should not allow javascript.""" tags = ['video'] attrs = {'video': ['poster']} test = '' expect = '' eq_(expect, clean(test, tags=tags, attributes=attrs)) ok = '' eq_(ok, clean(ok, tags=tags, attributes=attrs)) def test_feed_protocol(): eq_('foo', clean('foo'))