1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
From 0769be04c3891ae5c724c6779ba13d1d0f53b4ae Mon Sep 17 00:00:00 2001
From: Simon Cross <hodgestar@gmail.com>
Date: Sun, 16 Feb 2014 18:25:17 +0000
Subject: [PATCH 01/15] Also allow stripping of unsafe script tags (Python 3.4
parses the second example as a tag whose name is script&xyz).
---
genshi/filters/tests/test_html.py | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/genshi/filters/tests/test_html.py b/genshi/filters/tests/test_html.py
index 0c6cfe1..45ec0da 100644
--- a/genshi/filters/tests/test_html.py
+++ b/genshi/filters/tests/test_html.py
@@ -368,12 +368,16 @@ def StyleSanitizer():
class HTMLSanitizerTestCase(unittest.TestCase):
- def assert_parse_error_or_equal(self, expected, exploit):
+ def assert_parse_error_or_equal(self, expected, exploit,
+ allow_strip=False):
try:
html = HTML(exploit)
except ParseError:
return
- self.assertEquals(expected, (html | HTMLSanitizer()).render())
+ sanitized_html = (html | HTMLSanitizer()).render()
+ if not sanitized_html and allow_strip:
+ return
+ self.assertEquals(expected, sanitized_html)
def test_sanitize_unchanged(self):
html = HTML(u'<a href="#">fo<br />o</a>')
@@ -416,10 +420,12 @@ class HTMLSanitizerTestCase(unittest.TestCase):
html = HTML(u'<SCRIPT SRC="http://example.com/"></SCRIPT>')
self.assertEquals('', (html | HTMLSanitizer()).render())
src = u'<SCR\0IPT>alert("foo")</SCR\0IPT>'
- self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src)
+ self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src,
+ allow_strip=True)
src = u'<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>'
self.assert_parse_error_or_equal('<SCRIPT&XYZ; '
- 'SRC="http://example.com/">', src)
+ 'SRC="http://example.com/">', src,
+ allow_strip=True)
def test_sanitize_remove_onclick_attr(self):
html = HTML(u'<div onclick=\'alert("foo")\' />')
--
2.12.0
|