import os from datetime import datetime from django.core.serializers.json import DjangoJSONEncoder from django.test import SimpleTestCase from django.utils.deprecation import RemovedInDjango60Warning from django.utils.functional import lazystr from django.utils.html import ( conditional_escape, escape, escapejs, format_html, html_safe, json_script, linebreaks, smart_urlquote, strip_spaces_between_tags, strip_tags, urlize, ) from django.utils.safestring import mark_safe class TestUtilsHtml(SimpleTestCase): def check_output(self, function, value, output=None): """ function(value) equals output. If output is None, function(value) equals value. """ if output is None: output = value self.assertEqual(function(value), output) def test_escape(self): items = ( ("&", "&"), ("<", "<"), (">", ">"), ('"', """), ("'", "'"), ) # Substitution patterns for testing the above items. patterns = ("%s", "asdf%sfdsa", "%s1", "1%sb") for value, output in items: with self.subTest(value=value, output=output): for pattern in patterns: with self.subTest(value=value, output=output, pattern=pattern): self.check_output(escape, pattern % value, pattern % output) self.check_output( escape, lazystr(pattern % value), pattern % output ) # Check repeated values. self.check_output(escape, value * 2, output * 2) # Verify it doesn't double replace &. self.check_output(escape, "<&", "<&") def test_format_html(self): self.assertEqual( format_html( "{} {} {third} {fourth}", "< Dangerous >", mark_safe("safe"), third="< dangerous again", fourth=mark_safe("safe again"), ), "< Dangerous > safe < dangerous again safe again", ) def test_format_html_no_params(self): msg = "Calling format_html() without passing args or kwargs is deprecated." # RemovedInDjango60Warning: when the deprecation ends, replace with: # msg = "args or kwargs must be provided." # with self.assertRaisesMessage(ValueError, msg): with self.assertWarnsMessage(RemovedInDjango60Warning, msg): name = "Adam" self.assertEqual(format_html(f"{name}"), "Adam") def test_linebreaks(self): items = ( ("para1\n\npara2\r\rpara3", "

para1

\n\n

para2

\n\n

para3

"), ( "para1\nsub1\rsub2\n\npara2", "

para1
sub1
sub2

\n\n

para2

", ), ( "para1\r\n\r\npara2\rsub1\r\rpara4", "

para1

\n\n

para2
sub1

\n\n

para4

", ), ("para1\tmore\n\npara2", "

para1\tmore

\n\n

para2

"), ) for value, output in items: with self.subTest(value=value, output=output): self.check_output(linebreaks, value, output) self.check_output(linebreaks, lazystr(value), output) def test_strip_tags(self): items = ( ( "

See: 'é is an apostrophe followed by e acute

", "See: 'é is an apostrophe followed by e acute", ), ( "

See: 'é is an apostrophe followed by e acute

", "See: 'é is an apostrophe followed by e acute", ), ("a", "a"), ("a", "a"), ("e", "e"), ("hi, b2!", "b7>b2!"), ("b", "b"), ("a

')\">b

c", "abc"), ("a

b

c", "abc"), ("de

f", "def"), ('foobar', "foobar"), # caused infinite loop on Pythons not patched with # https://bugs.python.org/issue20288 ("&gotcha&#;<>", "&gotcha&#;<>"), ("ript>test</script>", "ript>test"), ("&h", "alert()h"), (">br>br>br>X", "XX"), ) for value, output in items: with self.subTest(value=value, output=output): self.check_output(strip_tags, value, output) self.check_output(strip_tags, lazystr(value), output) def test_strip_tags_files(self): # Test with more lengthy content (also catching performance regressions) for filename in ("strip_tags1.html", "strip_tags2.txt"): with self.subTest(filename=filename): path = os.path.join(os.path.dirname(__file__), "files", filename) with open(path) as fp: content = fp.read() start = datetime.now() stripped = strip_tags(content) elapsed = datetime.now() - start self.assertEqual(elapsed.seconds, 0) self.assertIn("Test string that has not been stripped.", stripped) self.assertNotIn("<", stripped) def test_strip_spaces_between_tags(self): # Strings that should come out untouched. items = (" ", " ", " ", " x") for value in items: with self.subTest(value=value): self.check_output(strip_spaces_between_tags, value) self.check_output(strip_spaces_between_tags, lazystr(value)) # Strings that have spaces to strip. items = ( (" ", ""), ("

hello

\n

world

", "

hello

world

"), ("\n

\t

\n

\n", "\n

\n"), ) for value, output in items: with self.subTest(value=value, output=output): self.check_output(strip_spaces_between_tags, value, output) self.check_output(strip_spaces_between_tags, lazystr(value), output) def test_escapejs(self): items = ( ( "\"double quotes\" and 'single quotes'", "\\u0022double quotes\\u0022 and \\u0027single quotes\\u0027", ), (r"\ : backslashes, too", "\\u005C : backslashes, too"), ( "and lots of whitespace: \r\n\t\v\f\b", "and lots of whitespace: \\u000D\\u000A\\u0009\\u000B\\u000C\\u0008", ), ( r"", "\\u003Cscript\\u003Eand this\\u003C/script\\u003E", ), ( "paragraph separator:\u2029and line separator:\u2028", "paragraph separator:\\u2029and line separator:\\u2028", ), ("`", "\\u0060"), ) for value, output in items: with self.subTest(value=value, output=output): self.check_output(escapejs, value, output) self.check_output(escapejs, lazystr(value), output) def test_json_script(self): tests = ( # "<", ">" and "&" are quoted inside JSON strings ( ( "&<>", '', ) ), # "<", ">" and "&" are quoted inside JSON objects ( {"a": ""}, '", ), # Lazy strings are quoted ( lazystr("&<>"), '", ), ( {"a": lazystr("")}, '", ), ) for arg, expected in tests: with self.subTest(arg=arg): self.assertEqual(json_script(arg, "test_id"), expected) def test_json_script_custom_encoder(self): class CustomDjangoJSONEncoder(DjangoJSONEncoder): def encode(self, o): return '{"hello": "world"}' self.assertHTMLEqual( json_script({}, encoder=CustomDjangoJSONEncoder), '', ) def test_json_script_without_id(self): self.assertHTMLEqual( json_script({"key": "value"}), '', ) def test_smart_urlquote(self): items = ( ("http://öäü.com/", "http://xn--4ca9at.com/"), ("http://öäü.com/öäü/", "http://xn--4ca9at.com/%C3%B6%C3%A4%C3%BC/"), # Everything unsafe is quoted, !*'();:@&=+$,/?#[]~ is considered # safe as per RFC. ( "http://example.com/path/öäü/", "http://example.com/path/%C3%B6%C3%A4%C3%BC/", ), ("http://example.com/%C3%B6/ä/", "http://example.com/%C3%B6/%C3%A4/"), ("http://example.com/?x=1&y=2+3&z=", "http://example.com/?x=1&y=2+3&z="), ("http://example.com/?x=<>\"'", "http://example.com/?x=%3C%3E%22%27"), ( "http://example.com/?q=http://example.com/?x=1%26q=django", "http://example.com/?q=http%3A%2F%2Fexample.com%2F%3Fx%3D1%26q%3D" "django", ), ( "http://example.com/?q=http%3A%2F%2Fexample.com%2F%3Fx%3D1%26q%3D" "django", "http://example.com/?q=http%3A%2F%2Fexample.com%2F%3Fx%3D1%26q%3D" "django", ), ("http://.www.f oo.bar/", "http://.www.f%20oo.bar/"), ) # IDNs are properly quoted for value, output in items: with self.subTest(value=value, output=output): self.assertEqual(smart_urlquote(value), output) def test_conditional_escape(self): s = "

interop

" self.assertEqual(conditional_escape(s), "<h1>interop</h1>") self.assertEqual(conditional_escape(mark_safe(s)), s) self.assertEqual(conditional_escape(lazystr(mark_safe(s))), s) def test_html_safe(self): @html_safe class HtmlClass: def __str__(self): return "

I'm a html class!

" html_obj = HtmlClass() self.assertTrue(hasattr(HtmlClass, "__html__")) self.assertTrue(hasattr(html_obj, "__html__")) self.assertEqual(str(html_obj), html_obj.__html__()) def test_html_safe_subclass(self): class BaseClass: def __html__(self): # defines __html__ on its own return "some html content" def __str__(self): return "some non html content" @html_safe class Subclass(BaseClass): def __str__(self): # overrides __str__ and is marked as html_safe return "some html safe content" subclass_obj = Subclass() self.assertEqual(str(subclass_obj), subclass_obj.__html__()) def test_html_safe_defines_html_error(self): msg = "can't apply @html_safe to HtmlClass because it defines __html__()." with self.assertRaisesMessage(ValueError, msg): @html_safe class HtmlClass: def __html__(self): return "

I'm a html class!

" def test_html_safe_doesnt_define_str(self): msg = "can't apply @html_safe to HtmlClass because it doesn't define __str__()." with self.assertRaisesMessage(ValueError, msg): @html_safe class HtmlClass: pass def test_urlize(self): tests = ( ( "Search for google.com/?q=! and see.", 'Search for google.com/?q=! and ' "see.", ), ( "Search for google.com/?q=1<! and see.", 'Search for google.com/?q=1<' "! and see.", ), ( lazystr("Search for google.com/?q=!"), 'Search for google.com/?q=!', ), ("foo@example.com", 'foo@example.com'), ( "test@" + "한.글." * 15 + "aaa", '' + "test@" + "한.글." * 15 + "aaa", ), ) for value, output in tests: with self.subTest(value=value): self.assertEqual(urlize(value), output) def test_urlize_unchanged_inputs(self): tests = ( ("a" + "@a" * 50000) + "a", # simple_email_re catastrophic test # Unicode domain catastrophic tests. "a@" + "한.글." * 1_000_000 + "a", "http://" + "한.글." * 1_000_000 + "com", "www." + "한.글." * 1_000_000 + "com", ("a" + "." * 1000000) + "a", # trailing_punctuation catastrophic test "foo@", "@foo.com", "foo@.example.com", "foo@localhost", "foo@localhost.", # trim_punctuation catastrophic tests "(" * 100_000 + ":" + ")" * 100_000, "(" * 100_000 + "&:" + ")" * 100_000, "([" * 100_000 + ":" + "])" * 100_000, "[(" * 100_000 + ":" + ")]" * 100_000, "([[" * 100_000 + ":" + "]])" * 100_000, "&:" + ";" * 100_000, "&.;" * 100_000, ".;" * 100_000, ) for value in tests: with self.subTest(value=value): self.assertEqual(urlize(value), value)