From 0769be04c3891ae5c724c6779ba13d1d0f53b4ae Mon Sep 17 00:00:00 2001 From: Simon Cross Date: Sun, 16 Feb 2014 18:25:17 +0000 Subject: [PATCH 01/15] Also allow stripping of unsafe script tags (Python 3.4 parses the second example as a tag whose name is script&xyz). --- genshi/filters/tests/test_html.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/genshi/filters/tests/test_html.py b/genshi/filters/tests/test_html.py index 0c6cfe1..45ec0da 100644 --- a/genshi/filters/tests/test_html.py +++ b/genshi/filters/tests/test_html.py @@ -368,12 +368,16 @@ def StyleSanitizer(): class HTMLSanitizerTestCase(unittest.TestCase): - def assert_parse_error_or_equal(self, expected, exploit): + def assert_parse_error_or_equal(self, expected, exploit, + allow_strip=False): try: html = HTML(exploit) except ParseError: return - self.assertEquals(expected, (html | HTMLSanitizer()).render()) + sanitized_html = (html | HTMLSanitizer()).render() + if not sanitized_html and allow_strip: + return + self.assertEquals(expected, sanitized_html) def test_sanitize_unchanged(self): html = HTML(u'fo
o') @@ -416,10 +420,12 @@ class HTMLSanitizerTestCase(unittest.TestCase): html = HTML(u'') self.assertEquals('', (html | HTMLSanitizer()).render()) src = u'alert("foo")' - self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src) + self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src, + allow_strip=True) src = u'' self.assert_parse_error_or_equal('<SCRIPT&XYZ; ' - 'SRC="http://example.com/">', src) + 'SRC="http://example.com/">', src, + allow_strip=True) def test_sanitize_remove_onclick_attr(self): html = HTML(u'
') -- 2.12.0