diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2019-07-15 11:46:09 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-08-01 09:24:54 +0200 |
| commit | 7f65974f8219729c047fbbf8cd5cc9d80faefe77 (patch) | |
| tree | 75306bbf491c52e18bd2216403f9e8cccd9654c3 /tests/utils_tests/test_text.py | |
| parent | eea0bf7bd58cda4618ecc10133f0ad09effe1a2e (diff) | |
Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML.
Thanks to Guido Vranken for initial report.
Diffstat (limited to 'tests/utils_tests/test_text.py')
| -rw-r--r-- | tests/utils_tests/test_text.py | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py index f1a7db383c..77d7e73259 100644 --- a/tests/utils_tests/test_text.py +++ b/tests/utils_tests/test_text.py @@ -88,6 +88,17 @@ class TestUtilsText(SimpleTestCase): # lazy strings are handled correctly self.assertEqual(text.Truncator(lazystr('The quick brown fox')).chars(10), 'The quick…') + def test_truncate_chars_html(self): + perf_test_values = [ + (('</a' + '\t' * 50000) + '//>', None), + ('&' * 50000, '&' * 9 + '…'), + ('_X<<<<<<<<<<<>', None), + ] + for value, expected in perf_test_values: + with self.subTest(value=value): + truncator = text.Truncator(value) + self.assertEqual(expected if expected else value, truncator.chars(10, html=True)) + def test_truncate_words(self): truncator = text.Truncator('The quick brown fox jumped over the lazy dog.') self.assertEqual('The quick brown fox jumped over the lazy dog.', truncator.words(10)) @@ -137,11 +148,17 @@ class TestUtilsText(SimpleTestCase): truncator = text.Truncator('<i>Buenos días! ¿Cómo está?</i>') self.assertEqual('<i>Buenos días! ¿Cómo…</i>', truncator.words(3, html=True)) truncator = text.Truncator('<p>I <3 python, what about you?</p>') - self.assertEqual('<p>I <3 python…</p>', truncator.words(3, html=True)) + self.assertEqual('<p>I <3 python,…</p>', truncator.words(3, html=True)) - re_tag_catastrophic_test = ('</a' + '\t' * 50000) + '//>' - truncator = text.Truncator(re_tag_catastrophic_test) - self.assertEqual(re_tag_catastrophic_test, truncator.words(500, html=True)) + perf_test_values = [ + ('</a' + '\t' * 50000) + '//>', + '&' * 50000, + '_X<<<<<<<<<<<>', + ] + for value in perf_test_values: + with self.subTest(value=value): + truncator = text.Truncator(value) + self.assertEqual(value, truncator.words(50, html=True)) def test_wrap(self): digits = '1234 67 9' |