Commit b68c1737 authored by Hanno Schlichting's avatar Hanno Schlichting

Merge branch '2.13'

parents fc1b7545 40a43b03
...@@ -353,8 +353,17 @@ class ImageTests(FileTests): ...@@ -353,8 +353,17 @@ class ImageTests(FileTests):
verifyClass(IWriteLock, Image) verifyClass(IWriteLock, Image)
class ImagePublishTests(Testing.ZopeTestCase.FunctionalTestCase):
def testTagSafe(self):
self.app.manage_addImage("image", "")
res = self.publish("/image/tag?height=0&width=0&css_class=%22%3E%3Cscript%20type%3D%22text%2Fjavascript%22%3Ealert('evil')%3B%3C%2Fscript%3E%3Cdiv%20class%3D%22")
self.assertNotIn('<script type="text/javascript">alert(\'evil\');</script>', res.getBody())
def test_suite(): def test_suite():
return unittest.TestSuite(( return unittest.TestSuite((
unittest.makeSuite(FileTests), unittest.makeSuite(FileTests),
unittest.makeSuite(ImageTests), unittest.makeSuite(ImageTests),
unittest.makeSuite(ImagePublishTests)
)) ))
...@@ -265,6 +265,7 @@ class BrowserIdManager(Item, Persistent, Implicit, RoleManager, Owned, Tabs): ...@@ -265,6 +265,7 @@ class BrowserIdManager(Item, Persistent, Implicit, RoleManager, Owned, Tabs):
security.declareProtected(ACCESS_CONTENTS_PERM, 'encodeUrl') security.declareProtected(ACCESS_CONTENTS_PERM, 'encodeUrl')
def encodeUrl(self, url, style='querystring', create=1): def encodeUrl(self, url, style='querystring', create=1):
# See IBrowserIdManager
bid = self.getBrowserId(create) bid = self.getBrowserId(create)
if bid is None: if bid is None:
raise BrowserIdManagerErr('There is no current browser id.') raise BrowserIdManagerErr('There is no current browser id.')
......
...@@ -14,6 +14,7 @@ ...@@ -14,6 +14,7 @@
Test suite for session id manager. Test suite for session id manager.
""" """
import unittest import unittest
import Testing
class TestBrowserIdManager(unittest.TestCase): class TestBrowserIdManager(unittest.TestCase):
...@@ -642,6 +643,18 @@ class TestBrowserIdManagerTraverser(unittest.TestCase): ...@@ -642,6 +643,18 @@ class TestBrowserIdManagerTraverser(unittest.TestCase):
self.assertEqual(request._script[1], bid) self.assertEqual(request._script[1], bid)
class TestBrowserIdManagerPublish(Testing.ZopeTestCase.FunctionalTestCase):
def test_encodeUrl_safe(self):
from OFS.Application import AppInitializer
init = AppInitializer(self.app)
init.install_browser_id_manager()
res = self.publish(
'/browser_id_manager/encodeUrl?url=%3Chtml%3EEVIL%2Fhtml%3E%3C!--')
self.assertNotIn("<html>EVIL/html>", res.getBody())
class DummyObject: class DummyObject:
def __init__(self, **kw): def __init__(self, **kw):
self.__dict__.update(kw) self.__dict__.update(kw)
...@@ -667,4 +680,5 @@ def test_suite(): ...@@ -667,4 +680,5 @@ def test_suite():
return unittest.TestSuite(( return unittest.TestSuite((
unittest.makeSuite(TestBrowserIdManager), unittest.makeSuite(TestBrowserIdManager),
unittest.makeSuite(TestBrowserIdManagerTraverser), unittest.makeSuite(TestBrowserIdManagerTraverser),
unittest.makeSuite(TestBrowserIdManagerPublish),
)) ))
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment