Commit 32a9bf20 authored by Nicolas Delaby's avatar Nicolas Delaby

Test new behaviour of HTML Conversions

  * asSafeHTML is removed
  * asHTML returns allways safe html
  * Style nodes are not stripped anymore 
  (they are safe from security point of view). If they brake
  display of host page, this is another issue


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@34368 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 298bd7a7
...@@ -1423,7 +1423,7 @@ class TestDocument(ERP5TypeTestCase, ZopeTestCase.Functional): ...@@ -1423,7 +1423,7 @@ class TestDocument(ERP5TypeTestCase, ZopeTestCase.Functional):
self.stepTic() self.stepTic()
self.assertSameSet([person1, person2], self.assertSameSet([person1, person2],
doc.getContributorValueList()) doc.getContributorValueList())
@expectedFailure
def test_safeHTML_conversion(self): def test_safeHTML_conversion(self):
"""This test create a Web Page and test asSafeHTML conversion. """This test create a Web Page and test asSafeHTML conversion.
Test also with a very non well-formed html document Test also with a very non well-formed html document
...@@ -1437,6 +1437,10 @@ class TestDocument(ERP5TypeTestCase, ZopeTestCase.Functional): ...@@ -1437,6 +1437,10 @@ class TestDocument(ERP5TypeTestCase, ZopeTestCase.Functional):
html_content = """<html> html_content = """<html>
<head> <head>
<title>My dirty title</title> <title>My dirty title</title>
<style type="text/css">
a {color: #FFAA44;}
</style>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head> </head>
<body> <body>
<div> <div>
...@@ -1445,17 +1449,33 @@ class TestDocument(ERP5TypeTestCase, ZopeTestCase.Functional): ...@@ -1445,17 +1449,33 @@ class TestDocument(ERP5TypeTestCase, ZopeTestCase.Functional):
<script type="text/javascript" src="http://example.com/something.js"/> <script type="text/javascript" src="http://example.com/something.js"/>
</body> </body>
</html> </html>
""" """.decode('utf-8').encode('iso-8859-1')
web_page.edit(text_content=html_content) web_page.edit(text_content=html_content)
# convert web_page into safe-html # Check that outputed stripped html is safe
format = 'text/x-html-safe'
safe_html = web_page.asSafeHTML() safe_html = web_page.asStrippedHTML()
self.assertTrue('My splendid title' in safe_html) self.assertTrue('My splendid title' in safe_html)
self.assertTrue('script' not in safe_html, safe_html) self.assertTrue('script' not in safe_html, safe_html)
self.assertTrue('something.js' not in safe_html, safe_html) self.assertTrue('something.js' not in safe_html, safe_html)
self.assertTrue('<body>' not in safe_html)
self.assertTrue('<head>' not in safe_html)
self.assertTrue('<style' not in safe_html)
self.assertTrue('#FFAA44' not in safe_html)
# Check that outputed entire html is safe
entire_html = web_page.asEntireHTML()
self.assertTrue('My splendid title' in entire_html)
self.assertTrue('script' not in entire_html, entire_html)
self.assertTrue('something.js' not in entire_html, entire_html)
self.assertTrue('<title>' in entire_html)
self.assertTrue('<body>' in entire_html)
self.assertTrue('<head>' in entire_html)
self.assertTrue('<style' in entire_html)
self.assertTrue('#FFAA44' in entire_html)
# now check converted value is stored in cache # now check converted value is stored in cache
format = 'html'
self.assertTrue(web_page.hasConversion(format=format)) self.assertTrue(web_page.hasConversion(format=format))
web_page.edit(text_content=None) web_page.edit(text_content=None)
self.assertFalse(web_page.hasConversion(format=format)) self.assertFalse(web_page.hasConversion(format=format))
...@@ -1493,7 +1513,7 @@ v>=0A</body>=0A</html>=0A ...@@ -1493,7 +1513,7 @@ v>=0A</body>=0A</html>=0A
<br>= <br>=
<!-- This is a comment, This string AZERTYY shouldn't be dislayed--> <!-- This is a comment, This string AZERTYY shouldn't be dislayed-->
<style> <style>
<!-- This is a comment, This string AZERTYY shouldn't be dislayed--> <!-- a {color: #FFAA44;} -->
</style> </style>
<table class=3DMoNormalTable border=3D0 cellspacing=3D0 cellpadding=3D0 = <table class=3DMoNormalTable border=3D0 cellspacing=3D0 cellpadding=3D0 =
width=3D64 width=3D64
...@@ -1510,14 +1530,10 @@ style=3D'color:black'>05D65812<o:p></o:p></span></p> ...@@ -1510,14 +1530,10 @@ style=3D'color:black'>05D65812<o:p></o:p></span></p>
</BODY></HTML> </BODY></HTML>
""" """
web_page.edit(text_content=html_content) web_page.edit(text_content=html_content)
safe_html = web_page.asSafeHTML() safe_html = web_page.asStrippedHTML()
self.assertTrue('inside very broken HTML code' in safe_html) self.assertTrue('inside very broken HTML code' in safe_html)
# http://www.w3.org/TR/REC-html40/present/styles.html#edef-STYLE
# according to the HTML spec, style nodes contains only
# CDATA, so comments nodes are serialised as Text.
# The parser is not able to remove these pseudo comments nodes.
# Anyway style nodes should be stripped.
self.assertTrue('AZERTYY' not in safe_html) self.assertTrue('AZERTYY' not in safe_html)
self.assertTrue('#FFAA44' in safe_html)
class TestDocumentWithSecurity(ERP5TypeTestCase): class TestDocumentWithSecurity(ERP5TypeTestCase):
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment