Merge remote-tracking branch 'upstream/2.13' into 2.13

bc41a5ee · Martin Häcker · ee53f2c4 · eb8459d5 · bc41a5ee · bc41a5ee
Commit bc41a5ee authored Oct 29, 2014 by Martin Häcker
Showing with 25 additions and 4 deletions

.travis.yml .travis.yml +15 -0

src/OFS/tests/testFileAndImage.py src/OFS/tests/testFileAndImage.py +9 -3

src/Products/Sessions/tests/testBrowserIdManager.py src/Products/Sessions/tests/testBrowserIdManager.py +1 -1

No files found.
--- a/.travis.yml
+++ b/.travis.yml
+language: python
+python:
+    - "2.6"
+    - "2.7"
+
+notifications:
+  email:
+    - hanno@hannosch.eu
+
+install:
+    - python bootstrap.py
+    - bin/buildout
+
+script:
+    - bin/test
--- a/src/OFS/tests/testFileAndImage.py
+++ b/src/OFS/tests/testFileAndImage.py
@@ -336,7 +336,8 @@ class ImageTests(FileTests):
          ('<img src="http://foo/file" alt="" title="" height="16" width="16" />'))

    def testTag(self):
-        tag_fmt = '<img src="http://foo/file" alt="%s" title="%s" height="16" width="16" />'
+        tag_fmt = ('<img src="http://foo/file" alt="%s" title="%s" '
+                   'height="16" width="16" />')
        self.assertEqual(self.file.tag(), (tag_fmt % ('','')))
        self.file.manage_changeProperties(title='foo')
        self.assertEqual(self.file.tag(), (tag_fmt % ('','foo')))
@@ -357,8 +358,13 @@ class ImageTests(FileTests):
 class ImagePublishTests(Testing.ZopeTestCase.FunctionalTestCase):
    def testTagSafe(self):
        self.app.manage_addImage("image", "")
-        res = self.publish("/image/tag?height=0&width=0&css_class=%22%3E%3Cscript%20type%3D%22text%2Fjavascript%22%3Ealert('evil')%3B%3C%2Fscript%3E%3Cdiv%20class%3D%22")
-        self.assertNotIn('<script type="text/javascript">alert(\'evil\');</script>', res.getBody())
+        res = self.publish(
+            "/image/tag?height=0&width=0&css_class=%22%3E%3Cscript%20type"
+            "%3D%22text%2Fjavascript%22%3Ealert('evil')%3B%3C%2Fscript"
+            "%3E%3Cdiv%20class%3D%22")
+        self.assertFalse(
+            '<script type="text/javascript">alert(\'evil\');</script>'
+                in res.getBody())


 def test_suite():

--- a/src/Products/Sessions/tests/testBrowserIdManager.py
+++ b/src/Products/Sessions/tests/testBrowserIdManager.py
@@ -652,7 +652,7 @@ class TestBrowserIdManagerPublish(Testing.ZopeTestCase.FunctionalTestCase):

        res = self.publish(
            '/browser_id_manager/encodeUrl?url=%3Chtml%3EEVIL%2Fhtml%3E%3C!--')
-        self.assertNotIn("<html>EVIL/html>", res.getBody())
+        self.assertFalse("<html>EVIL/html>" in res.getBody())


 class DummyObject: