summaryrefslogtreecommitdiff
path: root/tests/template_tests/syntax_tests/test_csp_nonce_attr.py
blob: 4ea159d0ecbac1b5ec66d213a3eaa85e6523abbf (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
from django.forms import Media
from django.forms.widgets import Script
from django.template import Context, Template
from django.test import SimpleTestCase, override_settings


@override_settings(STATIC_URL="/static/")
class CspNonceTagTests(SimpleTestCase):
    def test_with_nonce_in_context(self):
        t = Template("<script {% csp_nonce_attr %}></script>")
        result = t.render(Context({"csp_nonce": "abc123"}))
        self.assertEqual(result, '<script nonce="abc123"></script>')

    def test_without_csp_nonce_in_context(self):
        t = Template("<script {% csp_nonce_attr %}></script>")
        result = t.render(Context())
        self.assertEqual(result, "<script ></script>")

    def test_with_csp_nonce_none(self):
        t = Template("<script {% csp_nonce_attr %}></script>")
        result = t.render(Context({"csp_nonce": None}))
        self.assertEqual(result, "<script ></script>")

    def test_nonce_is_escaped(self):
        t = Template("<script {% csp_nonce_attr %}></script>")
        result = t.render(Context({"csp_nonce": '<script>"'}))
        self.assertIn("&lt;", result)
        self.assertNotIn("<script>", result)


@override_settings(STATIC_URL="/static/")
class CspNonceTagWithMediaTests(SimpleTestCase):
    def test_with_nonce_in_context(self):
        media = Media(js=["/path/to/js"])
        t = Template("{% csp_nonce_attr media %}")
        result = t.render(Context({"media": media, "csp_nonce": "abc123"}))
        self.assertHTMLEqual(
            result,
            '<script src="/path/to/js" nonce="abc123"></script>',
        )

    def test_without_csp_nonce_in_context(self):
        media = Media(js=["/path/to/js"])
        t = Template("{% csp_nonce_attr media %}")
        result = t.render(Context({"media": media}))
        self.assertHTMLEqual(result, '<script src="/path/to/js"></script>')

    def test_with_csp_nonce_none(self):
        media = Media(js=["/path/to/js"])
        t = Template("{% csp_nonce_attr media %}")
        result = t.render(Context({"media": media, "csp_nonce": None}))
        self.assertHTMLEqual(result, '<script src="/path/to/js"></script>')

    def test_css_and_js(self):
        media = Media(
            css={"all": ["/path/to/css"]},
            js=["/path/to/js"],
        )
        t = Template("{% csp_nonce_attr media %}")
        result = t.render(Context({"media": media, "csp_nonce": "abc123"}))
        self.assertHTMLEqual(
            result,
            '<link href="/path/to/css" media="all" nonce="abc123" rel="stylesheet">\n'
            '<script src="/path/to/js" nonce="abc123"></script>',
        )

    def test_with_script_object(self):
        media = Media(js=[Script("/path/to/js", integrity="sha256-abc")])
        t = Template("{% csp_nonce_attr media %}")
        result = t.render(Context({"media": media, "csp_nonce": "abc123"}))
        self.assertHTMLEqual(
            result,
            '<script src="/path/to/js" integrity="sha256-abc"'
            ' nonce="abc123"></script>',
        )

    def test_output_is_safe(self):
        media = Media(js=["/path/to/js"])
        t = Template("{% csp_nonce_attr media %}")
        result = t.render(Context({"media": media, "csp_nonce": "abc123"}))
        self.assertIn("<script", result)
        self.assertNotIn("&lt;", result)

    def test_script_with_conflicting_nonce_raises(self):
        media = Media(js=[Script("/path/to/js", nonce="static")])
        t = Template("{% csp_nonce_attr media %}")
        msg = "Script has conflicting attributes: nonce"
        with self.assertRaisesMessage(ValueError, msg):
            t.render(Context({"media": media, "csp_nonce": "abc123"}))