2014-12-07 09:43:10 +01:00
|
|
|
from django.template import TemplateSyntaxError
|
2021-01-14 10:14:57 +01:00
|
|
|
from django.test import SimpleTestCase
|
2014-11-11 19:32:44 -06:00
|
|
|
from django.utils.safestring import mark_safe
|
|
|
|
|
2015-01-28 07:35:27 -05:00
|
|
|
from ..utils import SafeClass, UnsafeClass, setup
|
2014-11-11 19:32:44 -06:00
|
|
|
|
|
|
|
|
2014-12-03 17:36:17 -03:00
|
|
|
class AutoescapeTagTests(SimpleTestCase):
|
2014-11-11 19:32:44 -06:00
|
|
|
|
|
|
|
@setup({'autoescape-tag01': '{% autoescape off %}hello{% endautoescape %}'})
|
|
|
|
def test_autoescape_tag01(self):
|
2014-12-07 09:43:10 +01:00
|
|
|
output = self.engine.render_to_string('autoescape-tag01')
|
2014-11-11 19:32:44 -06:00
|
|
|
self.assertEqual(output, 'hello')
|
|
|
|
|
|
|
|
@setup({'autoescape-tag02': '{% autoescape off %}{{ first }}{% endautoescape %}'})
|
|
|
|
def test_autoescape_tag02(self):
|
2014-12-07 09:43:10 +01:00
|
|
|
output = self.engine.render_to_string('autoescape-tag02', {'first': '<b>hello</b>'})
|
2014-11-11 19:32:44 -06:00
|
|
|
self.assertEqual(output, '<b>hello</b>')
|
|
|
|
|
|
|
|
@setup({'autoescape-tag03': '{% autoescape on %}{{ first }}{% endautoescape %}'})
|
|
|
|
def test_autoescape_tag03(self):
|
2014-12-07 09:43:10 +01:00
|
|
|
output = self.engine.render_to_string('autoescape-tag03', {'first': '<b>hello</b>'})
|
2014-11-11 19:32:44 -06:00
|
|
|
self.assertEqual(output, '<b>hello</b>')
|
|
|
|
|
|
|
|
# Autoescape disabling and enabling nest in a predictable way.
|
2016-04-07 22:04:45 -04:00
|
|
|
@setup({
|
|
|
|
'autoescape-tag04':
|
|
|
|
'{% autoescape off %}{{ first }} {% autoescape on %}{{ first }}{% endautoescape %}{% endautoescape %}'
|
|
|
|
})
|
2014-11-11 19:32:44 -06:00
|
|
|
def test_autoescape_tag04(self):
|
2014-12-07 09:43:10 +01:00
|
|
|
output = self.engine.render_to_string('autoescape-tag04', {'first': '<a>'})
|
2014-11-11 19:32:44 -06:00
|
|
|
self.assertEqual(output, '<a> <a>')
|
|
|
|
|
|
|
|
@setup({'autoescape-tag05': '{% autoescape on %}{{ first }}{% endautoescape %}'})
|
|
|
|
def test_autoescape_tag05(self):
|
2014-12-07 09:43:10 +01:00
|
|
|
output = self.engine.render_to_string('autoescape-tag05', {'first': '<b>first</b>'})
|
2014-11-11 19:32:44 -06:00
|
|
|
self.assertEqual(output, '<b>first</b>')
|
|
|
|
|
2020-04-18 07:46:05 -07:00
|
|
|
# Strings (ASCII or Unicode) already marked as "safe" are not
|
2014-11-11 19:32:44 -06:00
|
|
|
# auto-escaped
|
|
|
|
@setup({'autoescape-tag06': '{{ first }}'})
|
|
|
|
def test_autoescape_tag06(self):
|
2014-12-07 09:43:10 +01:00
|
|
|
output = self.engine.render_to_string('autoescape-tag06', {'first': mark_safe('<b>first</b>')})
|
2014-11-11 19:32:44 -06:00
|
|
|
self.assertEqual(output, '<b>first</b>')
|
|
|
|
|
|
|
|
@setup({'autoescape-tag07': '{% autoescape on %}{{ first }}{% endautoescape %}'})
|
|
|
|
def test_autoescape_tag07(self):
|
2014-12-07 09:43:10 +01:00
|
|
|
output = self.engine.render_to_string('autoescape-tag07', {'first': mark_safe('<b>Apple</b>')})
|
2014-11-11 19:32:44 -06:00
|
|
|
self.assertEqual(output, '<b>Apple</b>')
|
|
|
|
|
2016-04-07 22:04:45 -04:00
|
|
|
@setup({
|
|
|
|
'autoescape-tag08':
|
|
|
|
r'{% autoescape on %}{{ var|default_if_none:" endquote\" hah" }}{% endautoescape %}'
|
|
|
|
})
|
2014-11-11 19:32:44 -06:00
|
|
|
def test_autoescape_tag08(self):
|
|
|
|
"""
|
|
|
|
Literal string arguments to filters, if used in the result, are safe.
|
|
|
|
"""
|
2014-12-07 09:43:10 +01:00
|
|
|
output = self.engine.render_to_string('autoescape-tag08', {"var": None})
|
2014-11-11 19:32:44 -06:00
|
|
|
self.assertEqual(output, ' endquote" hah')
|
|
|
|
|
|
|
|
# Objects which return safe strings as their __str__ method
|
|
|
|
# won't get double-escaped.
|
|
|
|
@setup({'autoescape-tag09': r'{{ unsafe }}'})
|
|
|
|
def test_autoescape_tag09(self):
|
2014-12-07 09:43:10 +01:00
|
|
|
output = self.engine.render_to_string('autoescape-tag09', {'unsafe': UnsafeClass()})
|
2014-11-11 19:32:44 -06:00
|
|
|
self.assertEqual(output, 'you & me')
|
|
|
|
|
|
|
|
@setup({'autoescape-tag10': r'{{ safe }}'})
|
|
|
|
def test_autoescape_tag10(self):
|
2014-12-07 09:43:10 +01:00
|
|
|
output = self.engine.render_to_string('autoescape-tag10', {'safe': SafeClass()})
|
2014-11-11 19:32:44 -06:00
|
|
|
self.assertEqual(output, 'you > me')
|
|
|
|
|
|
|
|
@setup({'autoescape-filtertag01': '{{ first }}{% filter safe %}{{ first }} x<y{% endfilter %}'})
|
|
|
|
def test_autoescape_filtertag01(self):
|
|
|
|
"""
|
|
|
|
The "safe" and "escape" filters cannot work due to internal
|
|
|
|
implementation details (fortunately, the (no)autoescape block
|
|
|
|
tags can be used in those cases)
|
|
|
|
"""
|
|
|
|
with self.assertRaises(TemplateSyntaxError):
|
2014-12-07 09:43:10 +01:00
|
|
|
self.engine.render_to_string('autoescape-filtertag01', {'first': '<a>'})
|
2014-11-11 19:32:44 -06:00
|
|
|
|
|
|
|
# Arguments to filters are 'safe' and manipulate their input unescaped.
|
|
|
|
@setup({'autoescape-filters01': '{{ var|cut:"&" }}'})
|
|
|
|
def test_autoescape_filters01(self):
|
2014-12-07 09:43:10 +01:00
|
|
|
output = self.engine.render_to_string('autoescape-filters01', {'var': 'this & that'})
|
2014-11-11 19:32:44 -06:00
|
|
|
self.assertEqual(output, 'this that')
|
|
|
|
|
|
|
|
@setup({'autoescape-filters02': '{{ var|join:" & " }}'})
|
|
|
|
def test_autoescape_filters02(self):
|
2014-12-07 09:43:10 +01:00
|
|
|
output = self.engine.render_to_string('autoescape-filters02', {'var': ('Tom', 'Dick', 'Harry')})
|
2014-11-11 19:32:44 -06:00
|
|
|
self.assertEqual(output, 'Tom & Dick & Harry')
|
|
|
|
|
|
|
|
@setup({'autoescape-literals01': '{{ "this & that" }}'})
|
|
|
|
def test_autoescape_literals01(self):
|
|
|
|
"""
|
|
|
|
Literal strings are safe.
|
|
|
|
"""
|
2014-12-07 09:43:10 +01:00
|
|
|
output = self.engine.render_to_string('autoescape-literals01')
|
2014-11-11 19:32:44 -06:00
|
|
|
self.assertEqual(output, 'this & that')
|
|
|
|
|
|
|
|
@setup({'autoescape-stringiterations01': '{% for l in var %}{{ l }},{% endfor %}'})
|
|
|
|
def test_autoescape_stringiterations01(self):
|
|
|
|
"""
|
|
|
|
Iterating over strings outputs safe characters.
|
|
|
|
"""
|
2014-12-07 09:43:10 +01:00
|
|
|
output = self.engine.render_to_string('autoescape-stringiterations01', {'var': 'K&R'})
|
2014-11-11 19:32:44 -06:00
|
|
|
self.assertEqual(output, 'K,&,R,')
|
|
|
|
|
|
|
|
@setup({'autoescape-lookup01': '{{ var.key }}'})
|
|
|
|
def test_autoescape_lookup01(self):
|
|
|
|
"""
|
|
|
|
Escape requirement survives lookup.
|
|
|
|
"""
|
2014-12-07 09:43:10 +01:00
|
|
|
output = self.engine.render_to_string('autoescape-lookup01', {'var': {'key': 'this & that'}})
|
2014-11-11 19:32:44 -06:00
|
|
|
self.assertEqual(output, 'this & that')
|
2017-10-02 17:02:58 +02:00
|
|
|
|
|
|
|
@setup({'autoescape-incorrect-arg': '{% autoescape true %}{{ var.key }}{% endautoescape %}'})
|
|
|
|
def test_invalid_arg(self):
|
|
|
|
msg = "'autoescape' argument should be 'on' or 'off'"
|
|
|
|
with self.assertRaisesMessage(TemplateSyntaxError, msg):
|
|
|
|
self.engine.render_to_string('autoescape-incorrect-arg', {'var': {'key': 'this & that'}})
|
|
|
|
|
|
|
|
@setup({'autoescape-incorrect-arg': '{% autoescape %}{{ var.key }}{% endautoescape %}'})
|
|
|
|
def test_no_arg(self):
|
|
|
|
msg = "'autoescape' tag requires exactly one argument."
|
|
|
|
with self.assertRaisesMessage(TemplateSyntaxError, msg):
|
|
|
|
self.engine.render_to_string('autoescape-incorrect-arg', {'var': {'key': 'this & that'}})
|