o ÌÉhwã@shddlmZddlmZddlmZmZmZmZGdd„deƒZ Gdd„deeƒZ Gdd „d eeƒZ d S) é)ÚTestCase)ÚWagtailTestUtils)Ú WhitelisterÚallow_without_attributesÚattribute_ruleÚ check_urlc@s$eZdZdd„Zdd„Zdd„ZdS)Ú TestCheckUrlcCs(dD]}|d}| tt|ƒƒ¡qdS)N)ÚÚhttpÚhttpsÚftpÚmailtoÚtelz://www.example.com)Ú assertTrueÚboolr)ÚselfÚ url_schemeÚurl©rú\/var/www/html/ndineBlogger/venv/lib/python3.10/site-packages/wagtail/tests/test_whitelist.pyÚtest_allowed_url_schemes sþz%TestCheckUrl.test_allowed_url_schemescCs| ttdƒƒ¡dS)Nz invalid://url©Ú assertFalserr©rrrrÚtest_disallowed_url_schemesz'TestCheckUrl.test_disallowed_url_schemecCs| ttdƒƒ¡dS)z  Some URL parsers do not parse 'jav ascript:' as a valid scheme. Browsers, however, do. The checker needs to catch these crafty schemes zjav ascript:alert('XSS')NrrrrrÚ!test_crafty_disallowed_url_schemesz.TestCheckUrl.test_crafty_disallowed_url_schemeN)Ú__name__Ú __module__Ú __qualname__rrrrrrrr s rc@sDeZdZdd„Zdd„Zdd„Zdd„Zd d „Zd d „Zd d„Z dS)ÚTestAttributeRulecCs| d¡|_dS)Núbaz)Úget_soupÚsouprrrrÚsetUpszTestAttributeRule.setUpcCó0|jj}tddiƒ}||ƒ| t|ƒd¡dS)zi Test that attribute_rule() drops attributes for which no rule has been defined. ÚsnowmanÚbarbecueú bazN©r"ÚbrÚ assertEqualÚstr©rÚtagÚfnrrrÚtest_no_rule_for_attr!ó z'TestAttributeRule.test_no_rule_for_attrcCr$)zx Test that attribute_rule() does not change attributes when the corresponding rule returns True ÚfooTr Nr(r,rrrÚtest_rule_true_for_attr+r0z)TestAttributeRule.test_rule_true_for_attrcCr$)zo Test that attribute_rule() drops attributes when the corresponding rule returns False r1Fr'Nr(r,rrrÚtest_rule_false_for_attr5r0z*TestAttributeRule.test_rule_false_for_attrcCs0|jj}tdtiƒ}||ƒ| t|ƒd¡dS)ú¯ Test that when the rule returns a callable, attribute_rule() replaces the attribute with the result of calling the callable on the attribute. r1zbazN)r"r)rÚlenr*r+r,rrrÚtest_callable_called_on_attr?s z.TestAttributeRule.test_callable_called_on_attrcCs4|jj}tddd„iƒ}||ƒ| t|ƒd¡dS)r4r1cSsdS©Nr)ÚxrrrÚQsz>TestAttributeRule.test_callable_returns_None..r'Nr(r,rrrÚtest_callable_returns_NoneJsz,TestAttributeRule.test_callable_returns_NonecCs,| d¡}|j}t|ƒ| t|ƒd¡dS)zS Test that attribute_rule() with will drop all attributes. z/zN)r!r)rr*r+©rr"r-rrrÚtest_allow_without_attributesUs ÿz/TestAttributeRule.test_allow_without_attributesN) rrrr#r/r2r3r6r:r<rrrrrs    rc@sTeZdZdd„Zdd„Zdd„Zdd„Zd d „Zd d „Zd d„Z dd„Z dd„Z dS)ÚTestWhitelistercCs tƒ|_dSr7)rÚ whitelisterrrrrr#cs zTestWhitelister.setUpcCs4| d¡}|j}|j d|j¡| t|ƒd¡dS)zL Unknown node should remove a node from the parent document zbazquuxr zquuxN)r!r1r>Úclean_unknown_nodeÚbarr*r+r;rrrÚtest_clean_unknown_nodefs z'TestWhitelister.test_clean_unknown_nodecCó2| d¡}|j}|j ||¡| t|ƒd¡dS)zj tags are allowed without attributes. This remains true when tags are nested. z#foozfooN©r!r)r>Úclean_tag_noder*r+r;rrrÚ1test_clean_tag_node_cleans_nested_recognised_nodeos zATestWhitelister.test_clean_tag_node_cleans_nested_recognised_nodecCrB)zA tags should be removed, even when nested. zbarú barNrCr;rrrÚ6test_clean_tag_node_disallows_nested_unrecognised_nodeys zFTestWhitelister.test_clean_tag_node_disallows_nested_unrecognised_nodecCó4| d¡}|jj}|j ||¡| t|ƒd¡dS©NrFr@)r!r)Ústringr>Úclean_string_noder*r+©rr"rJrrrÚ#test_clean_string_node_does_nothing‚ó z3TestWhitelister.test_clean_string_node_does_nothingcCrHrI)r!r)rJr>Ú clean_noder*r+rLrrrÚ1test_clean_node_does_not_change_navigable_stringsˆrNzATestWhitelister.test_clean_node_does_not_change_navigable_stringscCs d}|j |¡}| |d¡dS)zf Whitelister.clean should remove disallowed tags and attributes from a string z7snowman Yorkshireúsnowman YorkshireN©r>Úcleanr*©rrJÚcleaned_stringrrrÚ test_cleanŽs zTestWhitelister.test_cleancCó d}|j |¡}| |d¡dS)NzDsnowman YorkshirerQrRrTrrrÚtest_clean_comments—s z#TestWhitelister.test_clean_commentscCrW)Nz:Arthur "two sheds" Jacksonz1Arthur "two sheds" JacksonrRrTrrrÚ test_quotingœs  ÿzTestWhitelister.test_quotingN) rrrr#rArErGrMrPrVrXrYrrrrr=bs    r=N) Ú django.testrÚwagtail.test.utilsrÚwagtail.whitelistrrrrrrr=rrrrÚs E