From b52c73008a9d67e9ddbb841872dc15cdd3d6ee01 Mon Sep 17 00:00:00 2001 From: Preston Timmons Date: Tue, 27 Dec 2016 17:00:56 -0500 Subject: Fixed #15667 -- Added template-based widget rendering. Thanks Carl Meyer and Tim Graham for contributing to the patch. --- tests/admin_widgets/tests.py | 62 +++++++++++++++++++++++++++++--------------- 1 file changed, 41 insertions(+), 21 deletions(-) (limited to 'tests/admin_widgets/tests.py') diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py index 2d8b88f2cf..b74df4e251 100644 --- a/tests/admin_widgets/tests.py +++ b/tests/admin_widgets/tests.py @@ -3,6 +3,7 @@ from __future__ import unicode_literals import gettext import os +import re from datetime import datetime, timedelta from importlib import import_module @@ -354,34 +355,53 @@ class AdminURLWidgetTest(SimpleTestCase): ) def test_render_quoting(self): - # WARNING: Don't use assertHTMLEqual in that testcase! - # assertHTMLEqual will get rid of some escapes which are tested here! + """ + WARNING: This test doesn't use assertHTMLEqual since it will get rid + of some escapes which are tested here! + """ + HREF_RE = re.compile('href="([^"]+)"') + VALUE_RE = re.compile('value="([^"]+)"') + TEXT_RE = re.compile(']+>([^>]+)') w = widgets.AdminURLFieldWidget() + output = w.render('test', 'http://example.com/some text') + self.assertEqual( + HREF_RE.search(output).groups()[0], + 'http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E', + ) + self.assertEqual( + TEXT_RE.search(output).groups()[0], + 'http://example.com/<sometag>some text</sometag>', + ) + self.assertEqual( + VALUE_RE.search(output).groups()[0], + 'http://example.com/<sometag>some text</sometag>', + ) + output = w.render('test', 'http://example-äüö.com/some text') + self.assertEqual( + HREF_RE.search(output).groups()[0], + 'http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E', + ) self.assertEqual( - w.render('test', 'http://example.com/some text'), - '

Currently: ' - '' - 'http://example.com/<sometag>some text</sometag>
' - 'Change:

' + TEXT_RE.search(output).groups()[0], + 'http://example-äüö.com/<sometag>some text</sometag>', ) self.assertEqual( - w.render('test', 'http://example-äüö.com/some text'), - '

Currently: ' - '' - 'http://example-äüö.com/<sometag>some text</sometag>
' - 'Change:

' + VALUE_RE.search(output).groups()[0], + 'http://example-äüö.com/<sometag>some text</sometag>', ) + output = w.render('test', 'http://www.example.com/%C3%A4">"') self.assertEqual( - w.render('test', 'http://www.example.com/%C3%A4">"'), - '

Currently: ' - '' + HREF_RE.search(output).groups()[0], + 'http://www.example.com/%C3%A4%22%3E%3Cscript%3Ealert(%22XSS!%22)%3C/script%3E%22', + ) + self.assertEqual( + TEXT_RE.search(output).groups()[0], 'http://www.example.com/%C3%A4"><script>' - 'alert("XSS!")</script>"
' - 'Change:

' + 'alert("XSS!")</script>"' + ) + self.assertEqual( + VALUE_RE.search(output).groups()[0], + 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"', ) -- cgit v1.3