"""More advanced security tests"""
from nose.tools import eq_
from bleach import clean
def test_nested_script_tag():
eq_('<<script>script>evil()<</script>/script>',
clean('</script>'))
eq_('<<x>script>evil()<</x>/script>',
clean('<script>evil()</script>'))
def test_nested_script_tag_r():
eq_('<script<script>>evil()</script<>>',
clean('>'))
def test_invalid_attr():
IMG = ['img', ]
IMG_ATTR = ['src']
eq_('test',
clean('test'))
eq_('',
clean('',
tags=IMG, attributes=IMG_ATTR))
eq_('',
clean('',
tags=IMG, attributes=IMG_ATTR))
def test_unquoted_attr():
eq_('myabbr',
clean('myabbr'))
def test_unquoted_event_handler():
eq_('xx.com',
clean('xx.com'))
def test_invalid_attr_value():
eq_('<img src="javascript:alert(\'XSS\');">',
clean(''))
def test_invalid_href_attr():
eq_('xss',
clean('xss'))
def test_invalid_filter_attr():
IMG = ['img', ]
IMG_ATTR = {'img': lambda n, v: n == 'src' and v == "http://example.com/"}
eq_('',
clean('',
tags=IMG, attributes=IMG_ATTR))
eq_('', clean('',
tags=IMG, attributes=IMG_ATTR))
def test_invalid_tag_char():
eq_('<script xss="" src="http://xx.com/xss.js"></script>',
clean(''))
eq_('<script src="http://xx.com/xss.js"></script>',
clean(''))
def test_unclosed_tag():
eq_('<script src="http://xx.com/xss.js<b">',
clean('ipt>'
eq_('pt>alert(1)ipt>', clean(s, strip=True))
s = 'pt>pt>alert(1)'
eq_('pt>pt>alert(1)', clean(s, strip=True))
def test_nasty():
"""Nested, broken up, multiple tags, are still foiled!"""
test = ('ipt type="text/javascript">alert("foo");'
'script>')
expect = (u'<scr<script></script>ipt type="text/javascript"'
u'>alert("foo");</script>script<del></del>'
u'>')
eq_(expect, clean(test))
def test_poster_attribute():
"""Poster attributes should not allow javascript."""
tags = ['video']
attrs = {'video': ['poster']}
test = ''
expect = ''
eq_(expect, clean(test, tags=tags, attributes=attrs))
ok = ''
eq_(ok, clean(ok, tags=tags, attributes=attrs))
def test_feed_protocol():
eq_('foo', clean('foo'))