1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
# -*- coding: utf-8 -*-
"""
unit test for security features
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:copyright: 2007 by Armin Ronacher.
:license: BSD, see LICENSE for more details.
"""
from jinja import Environment
NONLOCALSET = '''\
{% for item in range(10) %}
{%- set outer = item! -%}
{% endfor -%}
{{ outer }}'''
class PrivateStuff(object):
bar = lambda self: 23
foo = lambda self: 42
foo.jinja_unsafe_call = True
class PublicStuff(object):
jinja_allowed_attributes = ['bar']
bar = lambda self: 23
foo = lambda self: 42
test_unsafe = '''
>>> env.from_string("{{ foo.foo() }}").render(foo=MODULE.PrivateStuff())
u''
>>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PrivateStuff())
u'23'
>>> env.from_string("{{ foo.foo() }}").render(foo=MODULE.PublicStuff())
u''
>>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PublicStuff())
u'23'
>>> env.from_string("{{ foo.__class__ }}").render(foo=42)
u''
>>> env.from_string("{{ foo.func_code }}").render(foo=lambda:None)
u''
'''
test_restricted = '''
>>> env.from_string("{% for item.attribute in seq %}...{% endfor %}")
Traceback (most recent call last):
...
TemplateSyntaxError: cannot assign to expression (line 1)
>>> env.from_string("{% for foo, bar.baz in seq %}...{% endfor %}")
Traceback (most recent call last):
...
TemplateSyntaxError: cannot assign to expression (line 1)
'''
def test_nonlocal_set():
env = Environment()
env.globals['outer'] = 42
tmpl = env.from_string(NONLOCALSET)
assert tmpl.render() == '9'
assert env.globals['outer'] == 42
|
