2015-01-28 12:35:27 +00:00
|
|
|
from django.template import Context, Template
|
2016-12-31 17:43:30 +00:00
|
|
|
from django.test import SimpleTestCase
|
2022-02-18 19:27:05 +00:00
|
|
|
from django.utils import html, translation
|
|
|
|
from django.utils.functional import Promise, lazy, lazystr
|
2022-01-25 09:53:03 +00:00
|
|
|
from django.utils.safestring import SafeData, SafeString, mark_safe
|
2022-02-18 19:27:05 +00:00
|
|
|
from django.utils.translation import gettext_lazy
|
2013-04-20 11:38:14 +00:00
|
|
|
|
|
|
|
|
2016-12-29 15:27:49 +00:00
|
|
|
class customescape(str):
|
2014-12-23 21:29:01 +00:00
|
|
|
def __html__(self):
|
2020-05-01 12:37:21 +00:00
|
|
|
# Implement specific and wrong escaping in order to be able to detect
|
|
|
|
# when it runs.
|
2014-12-23 21:29:01 +00:00
|
|
|
return self.replace("<", "<<").replace(">", ">>")
|
|
|
|
|
|
|
|
|
2015-04-17 21:38:20 +00:00
|
|
|
class SafeStringTest(SimpleTestCase):
|
2013-04-20 11:38:14 +00:00
|
|
|
def assertRenderEqual(self, tpl, expected, **context):
|
|
|
|
context = Context(context)
|
|
|
|
tpl = Template(tpl)
|
|
|
|
self.assertEqual(tpl.render(context), expected)
|
|
|
|
|
|
|
|
def test_mark_safe(self):
|
|
|
|
s = mark_safe("a&b")
|
|
|
|
|
|
|
|
self.assertRenderEqual("{{ s }}", "a&b", s=s)
|
|
|
|
self.assertRenderEqual("{{ s|force_escape }}", "a&b", s=s)
|
|
|
|
|
2017-01-30 18:15:59 +00:00
|
|
|
def test_mark_safe_str(self):
|
|
|
|
"""
|
2019-02-05 14:38:29 +00:00
|
|
|
Calling str() on a SafeString instance doesn't lose the safe status.
|
2017-01-30 18:15:59 +00:00
|
|
|
"""
|
|
|
|
s = mark_safe("a&b")
|
|
|
|
self.assertIsInstance(str(s), type(s))
|
|
|
|
|
2014-12-23 21:29:01 +00:00
|
|
|
def test_mark_safe_object_implementing_dunder_html(self):
|
|
|
|
e = customescape("<a&b>")
|
|
|
|
s = mark_safe(e)
|
|
|
|
self.assertIs(s, e)
|
|
|
|
|
|
|
|
self.assertRenderEqual("{{ s }}", "<<a&b>>", s=s)
|
|
|
|
self.assertRenderEqual("{{ s|force_escape }}", "<a&b>", s=s)
|
|
|
|
|
2013-04-20 11:38:14 +00:00
|
|
|
def test_mark_safe_lazy(self):
|
2022-02-18 19:27:05 +00:00
|
|
|
safe_s = mark_safe(lazystr("a&b"))
|
2013-04-20 11:38:14 +00:00
|
|
|
|
2022-02-18 19:27:05 +00:00
|
|
|
self.assertIsInstance(safe_s, Promise)
|
|
|
|
self.assertRenderEqual("{{ s }}", "a&b", s=safe_s)
|
|
|
|
self.assertIsInstance(str(safe_s), SafeData)
|
|
|
|
|
|
|
|
def test_mark_safe_lazy_i18n(self):
|
|
|
|
s = mark_safe(gettext_lazy("name"))
|
|
|
|
tpl = Template("{{ s }}")
|
|
|
|
with translation.override("fr"):
|
|
|
|
self.assertEqual(tpl.render(Context({"s": s})), "nom")
|
2013-04-20 11:38:14 +00:00
|
|
|
|
2014-12-23 20:49:05 +00:00
|
|
|
def test_mark_safe_object_implementing_dunder_str(self):
|
2017-01-19 07:39:46 +00:00
|
|
|
class Obj:
|
2014-12-23 20:49:05 +00:00
|
|
|
def __str__(self):
|
|
|
|
return "<obj>"
|
|
|
|
|
|
|
|
s = mark_safe(Obj())
|
|
|
|
|
|
|
|
self.assertRenderEqual("{{ s }}", "<obj>", s=s)
|
|
|
|
|
2014-12-23 21:29:01 +00:00
|
|
|
def test_mark_safe_result_implements_dunder_html(self):
|
|
|
|
self.assertEqual(mark_safe("a&b").__html__(), "a&b")
|
|
|
|
|
|
|
|
def test_mark_safe_lazy_result_implements_dunder_html(self):
|
|
|
|
self.assertEqual(mark_safe(lazystr("a&b")).__html__(), "a&b")
|
|
|
|
|
2014-10-16 01:03:40 +00:00
|
|
|
def test_add_lazy_safe_text_and_safe_text(self):
|
|
|
|
s = html.escape(lazystr("a"))
|
|
|
|
s += mark_safe("&b")
|
|
|
|
self.assertRenderEqual("{{ s }}", "a&b", s=s)
|
|
|
|
|
|
|
|
s = html.escapejs(lazystr("a"))
|
|
|
|
s += mark_safe("&b")
|
|
|
|
self.assertRenderEqual("{{ s }}", "a&b", s=s)
|
2016-06-02 21:11:43 +00:00
|
|
|
|
|
|
|
def test_mark_safe_as_decorator(self):
|
|
|
|
"""
|
|
|
|
mark_safe used as a decorator leaves the result of a function
|
|
|
|
unchanged.
|
|
|
|
"""
|
2022-02-03 19:24:19 +00:00
|
|
|
|
2016-06-02 21:11:43 +00:00
|
|
|
def clean_string_provider():
|
|
|
|
return "<html><body>dummy</body></html>"
|
|
|
|
|
|
|
|
self.assertEqual(mark_safe(clean_string_provider)(), clean_string_provider())
|
|
|
|
|
|
|
|
def test_mark_safe_decorator_does_not_affect_dunder_html(self):
|
|
|
|
"""
|
|
|
|
mark_safe doesn't affect a callable that has an __html__() method.
|
|
|
|
"""
|
2022-02-03 19:24:19 +00:00
|
|
|
|
2016-06-02 21:11:43 +00:00
|
|
|
class SafeStringContainer:
|
|
|
|
def __html__(self):
|
|
|
|
return "<html></html>"
|
|
|
|
|
|
|
|
self.assertIs(mark_safe(SafeStringContainer), SafeStringContainer)
|
|
|
|
|
|
|
|
def test_mark_safe_decorator_does_not_affect_promises(self):
|
|
|
|
"""
|
|
|
|
mark_safe doesn't affect lazy strings (Promise objects).
|
|
|
|
"""
|
2022-02-03 19:24:19 +00:00
|
|
|
|
2016-06-02 21:11:43 +00:00
|
|
|
def html_str():
|
|
|
|
return "<html></html>"
|
|
|
|
|
|
|
|
lazy_str = lazy(html_str, str)()
|
|
|
|
self.assertEqual(mark_safe(lazy_str), html_str())
|
2022-01-25 09:53:03 +00:00
|
|
|
|
|
|
|
def test_default_additional_attrs(self):
|
|
|
|
s = SafeString("a&b")
|
|
|
|
msg = "object has no attribute 'dynamic_attr'"
|
|
|
|
with self.assertRaisesMessage(AttributeError, msg):
|
|
|
|
s.dynamic_attr = True
|
|
|
|
|
|
|
|
def test_default_safe_data_additional_attrs(self):
|
|
|
|
s = SafeData()
|
|
|
|
msg = "object has no attribute 'dynamic_attr'"
|
|
|
|
with self.assertRaisesMessage(AttributeError, msg):
|
|
|
|
s.dynamic_attr = True
|
2024-08-09 15:01:27 +00:00
|
|
|
|
|
|
|
def test_add_str(self):
|
|
|
|
s = SafeString("a&b")
|
|
|
|
cases = [
|
|
|
|
("test", "a&btest"),
|
|
|
|
("<p>unsafe</p>", "a&b<p>unsafe</p>"),
|
|
|
|
(SafeString("<p>safe</p>"), SafeString("a&b<p>safe</p>")),
|
|
|
|
]
|
|
|
|
for case, expected in cases:
|
|
|
|
with self.subTest(case=case):
|
|
|
|
self.assertRenderEqual("{{ s }}", expected, s=s + case)
|
2024-08-09 15:18:42 +00:00
|
|
|
|
|
|
|
def test_add_obj(self):
|
|
|
|
|
|
|
|
base_str = "<strong>strange</strong>"
|
|
|
|
add_str = "hello</br>"
|
|
|
|
|
|
|
|
class Add:
|
|
|
|
def __add__(self, other):
|
|
|
|
return base_str + other
|
|
|
|
|
|
|
|
class AddSafe:
|
|
|
|
def __add__(self, other):
|
|
|
|
return mark_safe(base_str) + other
|
|
|
|
|
|
|
|
class Radd:
|
|
|
|
def __radd__(self, other):
|
|
|
|
return other + base_str
|
|
|
|
|
|
|
|
class RaddSafe:
|
|
|
|
def __radd__(self, other):
|
|
|
|
return other + mark_safe(base_str)
|
|
|
|
|
|
|
|
left_add_expected = f"{base_str}{add_str}"
|
|
|
|
right_add_expected = f"{add_str}{base_str}"
|
|
|
|
cases = [
|
|
|
|
# Left-add test cases.
|
|
|
|
(Add(), add_str, left_add_expected, str),
|
|
|
|
(Add(), mark_safe(add_str), left_add_expected, str),
|
|
|
|
(AddSafe(), add_str, left_add_expected, str),
|
|
|
|
(AddSafe(), mark_safe(add_str), left_add_expected, SafeString),
|
|
|
|
# Right-add test cases.
|
|
|
|
(add_str, Radd(), right_add_expected, str),
|
|
|
|
(mark_safe(add_str), Radd(), right_add_expected, str),
|
|
|
|
(add_str, Radd(), right_add_expected, str),
|
|
|
|
(mark_safe(add_str), RaddSafe(), right_add_expected, SafeString),
|
|
|
|
]
|
|
|
|
for lhs, rhs, expected, expected_type in cases:
|
|
|
|
with self.subTest(lhs=lhs, rhs=rhs):
|
|
|
|
result = lhs + rhs
|
|
|
|
self.assertEqual(result, expected)
|
|
|
|
self.assertEqual(type(result), expected_type)
|
|
|
|
|
|
|
|
cases = [
|
|
|
|
("hello", Add()),
|
|
|
|
("hello", AddSafe()),
|
|
|
|
(Radd(), "hello"),
|
|
|
|
(RaddSafe(), "hello"),
|
|
|
|
]
|
|
|
|
for lhs, rhs in cases:
|
|
|
|
with self.subTest(lhs=lhs, rhs=rhs), self.assertRaises(TypeError):
|
|
|
|
lhs + rhs
|