[Erp5-report] r34368 nicolas - /erp5/trunk/products/ERP5OOo/tests/testDms.py
nobody at svn.erp5.org
nobody at svn.erp5.org
Thu Apr 8 11:36:35 CEST 2010
Author: nicolas
Date: Thu Apr 8 11:36:27 2010
New Revision: 34368
URL: http://svn.erp5.org?rev=34368&view=rev
Log:
Test new behaviour of HTML Conversions
* asSafeHTML is removed
* asHTML returns allways safe html
* Style nodes are not stripped anymore
(they are safe from security point of view). If they brake
display of host page, this is another issue
Modified:
erp5/trunk/products/ERP5OOo/tests/testDms.py
Modified: erp5/trunk/products/ERP5OOo/tests/testDms.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5OOo/tests/testDms.py?rev=34368&r1=34367&r2=34368&view=diff
==============================================================================
--- erp5/trunk/products/ERP5OOo/tests/testDms.py [utf8] (original)
+++ erp5/trunk/products/ERP5OOo/tests/testDms.py [utf8] Thu Apr 8 11:36:27 2010
@@ -1423,7 +1423,7 @@
self.stepTic()
self.assertSameSet([person1, person2],
doc.getContributorValueList())
- @expectedFailure
+
def test_safeHTML_conversion(self):
"""This test create a Web Page and test asSafeHTML conversion.
Test also with a very non well-formed html document
@@ -1437,6 +1437,10 @@
html_content = """<html>
<head>
<title>My dirty title</title>
+ <style type="text/css">
+ a {color: #FFAA44;}
+ </style>
+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<div>
@@ -1445,17 +1449,33 @@
<script type="text/javascript" src="http://example.com/something.js"/>
</body>
</html>
- """
+ """.decode('utf-8').encode('iso-8859-1')
web_page.edit(text_content=html_content)
- # convert web_page into safe-html
- format = 'text/x-html-safe'
- safe_html = web_page.asSafeHTML()
+ # Check that outputed stripped html is safe
+
+ safe_html = web_page.asStrippedHTML()
self.assertTrue('My splendid title' in safe_html)
self.assertTrue('script' not in safe_html, safe_html)
self.assertTrue('something.js' not in safe_html, safe_html)
+ self.assertTrue('<body>' not in safe_html)
+ self.assertTrue('<head>' not in safe_html)
+ self.assertTrue('<style' not in safe_html)
+ self.assertTrue('#FFAA44' not in safe_html)
+
+ # Check that outputed entire html is safe
+ entire_html = web_page.asEntireHTML()
+ self.assertTrue('My splendid title' in entire_html)
+ self.assertTrue('script' not in entire_html, entire_html)
+ self.assertTrue('something.js' not in entire_html, entire_html)
+ self.assertTrue('<title>' in entire_html)
+ self.assertTrue('<body>' in entire_html)
+ self.assertTrue('<head>' in entire_html)
+ self.assertTrue('<style' in entire_html)
+ self.assertTrue('#FFAA44' in entire_html)
# now check converted value is stored in cache
+ format = 'html'
self.assertTrue(web_page.hasConversion(format=format))
web_page.edit(text_content=None)
self.assertFalse(web_page.hasConversion(format=format))
@@ -1493,7 +1513,7 @@
<br>=
<!-- This is a comment, This string AZERTYY shouldn't be dislayed-->
<style>
-<!-- This is a comment, This string AZERTYY shouldn't be dislayed-->
+<!-- a {color: #FFAA44;} -->
</style>
<table class=3DMoNormalTable border=3D0 cellspacing=3D0 cellpadding=3D0 =
width=3D64
@@ -1510,14 +1530,10 @@
</BODY></HTML>
"""
web_page.edit(text_content=html_content)
- safe_html = web_page.asSafeHTML()
+ safe_html = web_page.asStrippedHTML()
self.assertTrue('inside very broken HTML code' in safe_html)
- # http://www.w3.org/TR/REC-html40/present/styles.html#edef-STYLE
- # according to the HTML spec, style nodes contains only
- # CDATA, so comments nodes are serialised as Text.
- # The parser is not able to remove these pseudo comments nodes.
- # Anyway style nodes should be stripped.
self.assertTrue('AZERTYY' not in safe_html)
+ self.assertTrue('#FFAA44' in safe_html)
class TestDocumentWithSecurity(ERP5TypeTestCase):
More information about the Erp5-report
mailing list