diff options
Diffstat (limited to 'tests/regressiontests/forms')
| -rw-r--r-- | tests/regressiontests/forms/forms.py | 18 | ||||
| -rw-r--r-- | tests/regressiontests/forms/util.py | 7 |
2 files changed, 20 insertions, 5 deletions
diff --git a/tests/regressiontests/forms/forms.py b/tests/regressiontests/forms/forms.py index 76132b273f..6bee94e579 100644 --- a/tests/regressiontests/forms/forms.py +++ b/tests/regressiontests/forms/forms.py @@ -593,17 +593,25 @@ u'Yesterday' u'Yesterday' Validation errors are HTML-escaped when output as HTML. +>>> from django.utils.safestring import mark_safe >>> class EscapingForm(Form): -... special_name = CharField() +... special_name = CharField(label="<em>Special</em> Field") +... special_safe_name = CharField(label=mark_safe("<em>Special</em> Field")) ... def clean_special_name(self): ... raise ValidationError("Something's wrong with '%s'" % self.cleaned_data['special_name']) +... def clean_special_safe_name(self): +... raise ValidationError(mark_safe("'<b>%s</b>' is a safe string" % self.cleaned_data['special_safe_name'])) ->>> f = EscapingForm({'special_name': "Nothing to escape"}, auto_id=False) +>>> f = EscapingForm({'special_name': "Nothing to escape", 'special_safe_name': "Nothing to escape"}, auto_id=False) >>> print f -<tr><th>Special name:</th><td><ul class="errorlist"><li>Something's wrong with 'Nothing to escape'</li></ul><input type="text" name="special_name" value="Nothing to escape" /></td></tr> ->>> f = EscapingForm({'special_name': "Should escape < & > and <script>alert('xss')</script>"}, auto_id=False) +<tr><th><em>Special</em> Field:</th><td><ul class="errorlist"><li>Something's wrong with 'Nothing to escape'</li></ul><input type="text" name="special_name" value="Nothing to escape" /></td></tr> +<tr><th><em>Special</em> Field:</th><td><ul class="errorlist"><li>'<b>Nothing to escape</b>' is a safe string</li></ul><input type="text" name="special_safe_name" value="Nothing to escape" /></td></tr> +>>> f = EscapingForm( +... {'special_name': "Should escape < & > and <script>alert('xss')</script>", +... 'special_safe_name': "<i>Do not escape</i>"}, auto_id=False) >>> print f -<tr><th>Special name:</th><td><ul class="errorlist"><li>Something's wrong with 'Should escape < & > and <script>alert('xss')</script>'</li></ul><input type="text" name="special_name" value="Should escape < & > and <script>alert('xss')</script>" /></td></tr> +<tr><th><em>Special</em> Field:</th><td><ul class="errorlist"><li>Something's wrong with 'Should escape < & > and <script>alert('xss')</script>'</li></ul><input type="text" name="special_name" value="Should escape < & > and <script>alert('xss')</script>" /></td></tr> +<tr><th><em>Special</em> Field:</th><td><ul class="errorlist"><li>'<b><i>Do not escape</i></b>' is a safe string</li></ul><input type="text" name="special_safe_name" value="<i>Do not escape</i>" /></td></tr> """ + \ r""" # [This concatenation is to keep the string below the jython's 32K limit]. diff --git a/tests/regressiontests/forms/util.py b/tests/regressiontests/forms/util.py index 68c082c114..845ddeaadb 100644 --- a/tests/regressiontests/forms/util.py +++ b/tests/regressiontests/forms/util.py @@ -49,4 +49,11 @@ u'' # Can take a non-string. >>> print ValidationError(VeryBadError()).messages <ul class="errorlist"><li>A very bad error.</li></ul> + +# Escapes non-safe input but not input marked safe. +>>> example = 'Example of link: <a href="http://www.example.com/">example</a>' +>>> print ValidationError(example).messages +<ul class="errorlist"><li>Example of link: <a href="http://www.example.com/">example</a></li></ul> +>>> print ValidationError(mark_safe(example)).messages +<ul class="errorlist"><li>Example of link: <a href="http://www.example.com/">example</a></li></ul> """ |