merge hotfixes from Products.PloneHotfix20131210

5c6fd9e9 · Nathan Van Gheem · 230d8f46 · 5c6fd9e9 · 5c6fd9e9 · 5c6fd9e9
Commit 5c6fd9e9 authored Jan 29, 2014 by Nathan Van Gheem
4 changed files
--- a/src/OFS/Image.py
+++ b/src/OFS/Image.py
@@ -838,21 +838,20 @@ class Image(File):
    security.declareProtected(View, 'tag')
    def tag(self, height=None, width=None, alt=None,
            scale=0, xscale=0, yscale=0, css_class=None, title=None, **args):
-        """
-        Generate an HTML IMG tag for this image, with customization.
-        Arguments to self.tag() can be any valid attributes of an IMG tag.
-        'src' will always be an absolute pathname, to prevent redundant
-        downloading of images. Defaults are applied intelligently for
-        'height', 'width', and 'alt'. If specified, the 'scale', 'xscale',
-        and 'yscale' keyword arguments will be used to automatically adjust
-        the output height and width values of the image tag.
-
-        Since 'class' is a Python reserved word, it cannot be passed in
-        directly in keyword arguments which is a problem if you are
-        trying to use 'tag()' to include a CSS class. The tag() method
-        will accept a 'css_class' argument that will be converted to
-        'class' in the output tag to work around this.
-        """
+        #Generate an HTML IMG tag for this image, with customization.
+        #Arguments to self.tag() can be any valid attributes of an IMG tag.
+        #'src' will always be an absolute pathname, to prevent redundant
+        #downloading of images. Defaults are applied intelligently for
+        #'height', 'width', and 'alt'. If specified, the 'scale', 'xscale',
+        #and 'yscale' keyword arguments will be used to automatically adjust
+        #the output height and width values of the image tag.
+
+        #Since 'class' is a Python reserved word, it cannot be passed in
+        #directly in keyword arguments which is a problem if you are
+        #trying to use 'tag()' to include a CSS class. The tag() method
+        #will accept a 'css_class' argument that will be converted to
+        #'class' in the output tag to work around this.
+
        if height is None: height=self.height
        if width is None:  width=self.width


--- a/src/OFS/tests/testFileAndImage.py
+++ b/src/OFS/tests/testFileAndImage.py
@@ -353,8 +353,17 @@ class ImageTests(FileTests):

        verifyClass(IWriteLock, Image)

+
+class ImagePublishTests(Testing.ZopeTestCase.FunctionalTestCase):
+    def testTagSafe(self):
+        self.app.manage_addImage("image", "")
+        res = self.publish("/image/tag?height=0&width=0&css_class=%22%3E%3Cscript%20type%3D%22text%2Fjavascript%22%3Ealert('evil')%3B%3C%2Fscript%3E%3Cdiv%20class%3D%22")
+        self.assertNotIn('<script type="text/javascript">alert(\'evil\');</script>', res.getBody())
+
+
 def test_suite():
    return unittest.TestSuite((
        unittest.makeSuite(FileTests),
        unittest.makeSuite(ImageTests),
+        unittest.makeSuite(ImagePublishTests)
        ))
--- a/src/Products/Sessions/BrowserIdManager.py
+++ b/src/Products/Sessions/BrowserIdManager.py
@@ -266,8 +266,7 @@ class BrowserIdManager(Item, Persistent, Implicit, RoleManager, Owned, Tabs):
    
    security.declareProtected(ACCESS_CONTENTS_PERM, 'encodeUrl')
    def encodeUrl(self, url, style='querystring', create=1):
-        """ See IBrowserIdManager.
-        """
+        # See IBrowserIdManager
        bid = self.getBrowserId(create)
        if bid is None:
            raise BrowserIdManagerErr('There is no current browser id.')

--- a/src/Products/Sessions/tests/testBrowserIdManager.py
+++ b/src/Products/Sessions/tests/testBrowserIdManager.py
@@ -14,6 +14,7 @@
 Test suite for session id manager.
 """
 import unittest
+import Testing

 class TestBrowserIdManager(unittest.TestCase):

@@ -642,6 +643,18 @@ class TestBrowserIdManagerTraverser(unittest.TestCase):
        self.assertEqual(request._script[1], bid)


+class TestBrowserIdManagerPublish(Testing.ZopeTestCase.FunctionalTestCase):
+
+    def test_encodeUrl_safe(self):
+        from OFS.Application import AppInitializer
+        init = AppInitializer(self.app)
+        init.install_browser_id_manager()
+
+        res = self.publish(
+            '/browser_id_manager/encodeUrl?url=%3Chtml%3EEVIL%2Fhtml%3E%3C!--')
+        self.assertNotIn("<html>EVIL/html>", res.getBody())
+
+
 class DummyObject:
    def __init__(self, **kw):
        self.__dict__.update(kw)
@@ -667,4 +680,5 @@ def test_suite():
    return unittest.TestSuite((
        unittest.makeSuite(TestBrowserIdManager),
        unittest.makeSuite(TestBrowserIdManagerTraverser),
+        unittest.makeSuite(TestBrowserIdManagerPublish),
    ))