import os
from datetime import datetime
from django.core.exceptions import SuspiciousOperation
from django.core.serializers.json import DjangoJSONEncoder
from django.test import SimpleTestCase
from django.utils.deprecation import RemovedInDjango60Warning
from django.utils.functional import lazystr
from django.utils.html import (
conditional_escape,
escape,
escapejs,
format_html,
format_html_join,
html_safe,
json_script,
linebreaks,
smart_urlquote,
strip_spaces_between_tags,
strip_tags,
urlize,
)
from django.utils.safestring import mark_safe
class TestUtilsHtml(SimpleTestCase):
def check_output(self, function, value, output=None):
"""
function(value) equals output. If output is None, function(value)
equals value.
"""
if output is None:
output = value
self.assertEqual(function(value), output)
def test_escape(self):
items = (
("&", "&"),
("<", "<"),
(">", ">"),
('"', """),
("'", "'"),
)
# Substitution patterns for testing the above items.
patterns = ("%s", "asdf%sfdsa", "%s1", "1%sb")
for value, output in items:
with self.subTest(value=value, output=output):
for pattern in patterns:
with self.subTest(value=value, output=output, pattern=pattern):
self.check_output(escape, pattern % value, pattern % output)
self.check_output(
escape, lazystr(pattern % value), pattern % output
)
# Check repeated values.
self.check_output(escape, value * 2, output * 2)
# Verify it doesn't double replace &.
self.check_output(escape, "<&", "<&")
def test_format_html(self):
self.assertEqual(
format_html(
"{} {} {third} {fourth}",
"< Dangerous >",
mark_safe("safe"),
third="< dangerous again",
fourth=mark_safe("safe again"),
),
"< Dangerous > safe < dangerous again safe again",
)
def test_format_html_no_params(self):
msg = "Calling format_html() without passing args or kwargs is deprecated."
# RemovedInDjango60Warning: when the deprecation ends, replace with:
# msg = "args or kwargs must be provided."
# with self.assertRaisesMessage(TypeError, msg):
with self.assertWarnsMessage(RemovedInDjango60Warning, msg) as ctx:
name = "Adam"
self.assertEqual(format_html(f"{name}"), "Adam")
self.assertEqual(ctx.filename, __file__)
def test_format_html_join_with_positional_arguments(self):
self.assertEqual(
format_html_join(
"\n",
"{}) {}",
[(1, "Emma"), (2, "Matilda")],
),
"1) Emma\n2) Matilda",
)
def test_format_html_join_with_keyword_arguments(self):
self.assertEqual(
format_html_join(
"\n",
"{id}) {text}",
[{"id": 1, "text": "Emma"}, {"id": 2, "text": "Matilda"}],
),
"1) Emma\n2) Matilda",
)
def test_linebreaks(self):
items = (
("para1\n\npara2\r\rpara3", "para1
\n\npara2
\n\npara3
"),
(
"para1\nsub1\rsub2\n\npara2",
"para1
sub1
sub2
\n\npara2
",
),
(
"para1\r\n\r\npara2\rsub1\r\rpara4",
"para1
\n\npara2
sub1
\n\npara4
",
),
("para1\tmore\n\npara2", "para1\tmore
\n\npara2
"),
)
for value, output in items:
with self.subTest(value=value, output=output):
self.check_output(linebreaks, value, output)
self.check_output(linebreaks, lazystr(value), output)
def test_strip_tags(self):
items = (
(
"See: 'é is an apostrophe followed by e acute
",
"See: 'é is an apostrophe followed by e acute",
),
(
"See: 'é is an apostrophe followed by e acute
",
"See: 'é is an apostrophe followed by e acute",
),
("a", "a"),
("a", "a"),
("e", "e"),
("hi, b2!", "b7>b2!"),
("b", "b"),
("a')\">b
c", "abc"),
("ab
c", "abc"),
("def", "def"),
('foobar', "foobar"),
# caused infinite loop on Pythons not patched with
# https://bugs.python.org/issue20288
("&gotcha&#;<>", "&gotcha&#;<>"),
("ript>test</script>", "ript>test"),
("&h", "alert()h"),
(">br>br>br>X", "XX"),
("<" * 50 + "a>" * 50, ""),
(">" + "" + "" * 51, ""
with self.assertRaises(SuspiciousOperation):
strip_tags(value)
def test_strip_tags_suspicious_operation_large_open_tags(self):
items = [
">" + "", " ", " ", " x")
for value in items:
with self.subTest(value=value):
self.check_output(strip_spaces_between_tags, value)
self.check_output(strip_spaces_between_tags, lazystr(value))
# Strings that have spaces to strip.
items = (
(" ", ""),
("hello
\n world
", "hello
world
"),
("\n\t
\n
\n", "\n\n"),
)
for value, output in items:
with self.subTest(value=value, output=output):
self.check_output(strip_spaces_between_tags, value, output)
self.check_output(strip_spaces_between_tags, lazystr(value), output)
def test_escapejs(self):
items = (
(
"\"double quotes\" and 'single quotes'",
"\\u0022double quotes\\u0022 and \\u0027single quotes\\u0027",
),
(r"\ : backslashes, too", "\\u005C : backslashes, too"),
(
"and lots of whitespace: \r\n\t\v\f\b",
"and lots of whitespace: \\u000D\\u000A\\u0009\\u000B\\u000C\\u0008",
),
(
r"",
"\\u003Cscript\\u003Eand this\\u003C/script\\u003E",
),
(
"paragraph separator:\u2029and line separator:\u2028",
"paragraph separator:\\u2029and line separator:\\u2028",
),
("`", "\\u0060"),
)
for value, output in items:
with self.subTest(value=value, output=output):
self.check_output(escapejs, value, output)
self.check_output(escapejs, lazystr(value), output)
def test_json_script(self):
tests = (
# "<", ">" and "&" are quoted inside JSON strings
(
(
"&<>",
'',
)
),
# "<", ">" and "&" are quoted inside JSON objects
(
{"a": ""},
'",
),
# Lazy strings are quoted
(
lazystr("&<>"),
'",
),
(
{"a": lazystr("")},
'",
),
)
for arg, expected in tests:
with self.subTest(arg=arg):
self.assertEqual(json_script(arg, "test_id"), expected)
def test_json_script_custom_encoder(self):
class CustomDjangoJSONEncoder(DjangoJSONEncoder):
def encode(self, o):
return '{"hello": "world"}'
self.assertHTMLEqual(
json_script({}, encoder=CustomDjangoJSONEncoder),
'',
)
def test_json_script_without_id(self):
self.assertHTMLEqual(
json_script({"key": "value"}),
'',
)
def test_smart_urlquote(self):
items = (
# IDN is encoded as percent-encoded ("quoted") UTF-8 (#36013).
("http://öäü.com/", "http://%C3%B6%C3%A4%C3%BC.com/"),
("https://faß.example.com", "https://fa%C3%9F.example.com"),
(
"http://öäü.com/öäü/",
"http://%C3%B6%C3%A4%C3%BC.com/%C3%B6%C3%A4%C3%BC/",
),
(
# Valid under IDNA 2008, but was invalid in IDNA 2003.
"https://މިހާރު.com",
"https://%DE%89%DE%A8%DE%80%DE%A7%DE%83%DE%AA.com",
),
(
# Valid under WHATWG URL Specification but not IDNA 2008.
"http://👓.ws",
"http://%F0%9F%91%93.ws",
),
# Pre-encoded IDNA is left unchanged.
("http://xn--iny-zx5a.com/idna2003", "http://xn--iny-zx5a.com/idna2003"),
("http://xn--fa-hia.com/idna2008", "http://xn--fa-hia.com/idna2008"),
# Everything unsafe is quoted, !*'();:@&=+$,/?#[]~ is considered
# safe as per RFC.
(
"http://example.com/path/öäü/",
"http://example.com/path/%C3%B6%C3%A4%C3%BC/",
),
("http://example.com/%C3%B6/ä/", "http://example.com/%C3%B6/%C3%A4/"),
("http://example.com/?x=1&y=2+3&z=", "http://example.com/?x=1&y=2+3&z="),
("http://example.com/?x=<>\"'", "http://example.com/?x=%3C%3E%22%27"),
(
"http://example.com/?q=http://example.com/?x=1%26q=django",
"http://example.com/?q=http%3A%2F%2Fexample.com%2F%3Fx%3D1%26q%3D"
"django",
),
(
"http://example.com/?q=http%3A%2F%2Fexample.com%2F%3Fx%3D1%26q%3D"
"django",
"http://example.com/?q=http%3A%2F%2Fexample.com%2F%3Fx%3D1%26q%3D"
"django",
),
("http://.www.f oo.bar/", "http://.www.f%20oo.bar/"),
('http://example.com">', "http://example.com%22%3E"),
("http://10.22.1.1/", "http://10.22.1.1/"),
("http://[fd00::1]/", "http://[fd00::1]/"),
)
for value, output in items:
with self.subTest(value=value, output=output):
self.assertEqual(smart_urlquote(value), output)
def test_conditional_escape(self):
s = "interop
"
self.assertEqual(conditional_escape(s), "<h1>interop</h1>")
self.assertEqual(conditional_escape(mark_safe(s)), s)
self.assertEqual(conditional_escape(lazystr(mark_safe(s))), s)
def test_html_safe(self):
@html_safe
class HtmlClass:
def __str__(self):
return "I'm a html class!
"
html_obj = HtmlClass()
self.assertTrue(hasattr(HtmlClass, "__html__"))
self.assertTrue(hasattr(html_obj, "__html__"))
self.assertEqual(str(html_obj), html_obj.__html__())
def test_html_safe_subclass(self):
class BaseClass:
def __html__(self):
# defines __html__ on its own
return "some html content"
def __str__(self):
return "some non html content"
@html_safe
class Subclass(BaseClass):
def __str__(self):
# overrides __str__ and is marked as html_safe
return "some html safe content"
subclass_obj = Subclass()
self.assertEqual(str(subclass_obj), subclass_obj.__html__())
def test_html_safe_defines_html_error(self):
msg = "can't apply @html_safe to HtmlClass because it defines __html__()."
with self.assertRaisesMessage(ValueError, msg):
@html_safe
class HtmlClass:
def __html__(self):
return "I'm a html class!
"
def test_html_safe_doesnt_define_str(self):
msg = "can't apply @html_safe to HtmlClass because it doesn't define __str__()."
with self.assertRaisesMessage(ValueError, msg):
@html_safe
class HtmlClass:
pass
def test_urlize(self):
tests = (
(
"Search for google.com/?q=! and see.",
'Search for google.com/?q=! and '
"see.",
),
(
"Search for google.com/?q=1<! and see.",
'Search for google.com/?q=1<'
"! and see.",
),
(
lazystr("Search for google.com/?q=!"),
'Search for google.com/?q=!',
),
(
"http://www.foo.bar/",
'http://www.foo.bar/',
),
(
"Look on www.نامهای.com.",
"Look on www.نامهای.com.",
),
("foo@example.com", 'foo@example.com'),
(
"test@" + "한.글." * 15 + "aaa",
''
+ "test@"
+ "한.글." * 15
+ "aaa",
),
(
# RFC 6068 requires a mailto URI to percent-encode a number of
# characters that can appear in .
"yes+this=is&a%valid!email@example.com",
'yes+this=is&a%valid!email@example.com",
),
(
"foo@faß.example.com",
'foo@faß.example.com',
),
(
"idna-2008@މިހާރު.example.mv",
'idna-2008@މިހާރު.example.mv',
),
)
for value, output in tests:
with self.subTest(value=value):
self.assertEqual(urlize(value), output)
def test_urlize_unchanged_inputs(self):
tests = (
("a" + "@a" * 50000) + "a", # simple_email_re catastrophic test
# Unicode domain catastrophic tests.
"a@" + "한.글." * 1_000_000 + "a",
"http://" + "한.글." * 1_000_000 + "com",
"www." + "한.글." * 1_000_000 + "com",
("a" + "." * 1000000) + "a", # trailing_punctuation catastrophic test
"foo@",
"@foo.com",
"foo@.example.com",
"foo@localhost",
"foo@localhost.",
"test@example?;+!.com",
"email me@example.com,then I'll respond",
# trim_punctuation catastrophic tests
"(" * 100_000 + ":" + ")" * 100_000,
"(" * 100_000 + "&:" + ")" * 100_000,
"([" * 100_000 + ":" + "])" * 100_000,
"[(" * 100_000 + ":" + ")]" * 100_000,
"([[" * 100_000 + ":" + "]])" * 100_000,
"&:" + ";" * 100_000,
"&.;" * 100_000,
".;" * 100_000,
"&" + ";:" * 100_000,
)
for value in tests:
with self.subTest(value=value):
self.assertEqual(urlize(value), value)