[entities] unconditionnally sanitize the html output of printable_value
Closes jpl##49466
--- a/entities/test/data/schema.py Sat Dec 14 14:29:37 2013 +0100
+++ b/entities/test/data/schema.py Mon Jan 13 15:17:11 2014 +0100
@@ -24,6 +24,7 @@
class Company(EntityType):
name = String()
+ description = RichString()
class Division(Company):
__specializes_schema__ = True
--- a/entities/test/unittest_base.py Sat Dec 14 14:29:37 2013 +0100
+++ b/entities/test/unittest_base.py Mon Jan 13 15:17:11 2014 +0100
@@ -134,6 +134,27 @@
self.request().create_entity('CWGroup', name=u'logilab', reverse_in_group=e)
+class HTMLtransformTC(BaseEntityTC):
+
+ def test_sanitized_html(self):
+ r = self.request()
+ c = r.create_entity('Company', name=u'Babar',
+ description=u"""
+Title
+=====
+
+Elephant management best practices.
+
+.. raw:: html
+
+ <script>alert("coucou")</script>
+""", description_format=u'text/rest')
+ self.commit()
+ c.cw_clear_all_caches()
+ self.assertIn('alert', c.printable_value('description', format='text/plain'))
+ self.assertNotIn('alert', c.printable_value('description', format='text/html'))
+
+
class InterfaceTC(CubicWebTC):
def test_nonregr_subclasses_and_mixins_interfaces(self):
--- a/entity.py Sat Dec 14 14:29:37 2013 +0100
+++ b/entity.py Mon Jan 13 15:17:11 2014 +0100
@@ -775,7 +775,7 @@
_engine=ENGINE):
trdata = TransformData(data, format, encoding, appobject=self)
data = _engine.convert(trdata, target_format).decode()
- if format == 'text/html':
+ if target_format == 'text/html':
data = soup2xhtml(data, self._cw.encoding)
return data
--- a/test/unittest_entity.py Sat Dec 14 14:29:37 2013 +0100
+++ b/test/unittest_entity.py Mon Jan 13 15:17:11 2014 +0100
@@ -533,7 +533,7 @@
e = self.request().create_entity('Card', title=u'rest test', content=u'du :eid:`1:*ReST*`',
content_format=u'text/rest')
self.assertEqual(e.printable_value('content'),
- '<p>du <a class="reference" href="http://testing.fr/cubicweb/cwsource/system">*ReST*</a></p>\n')
+ '<p>du <a class="reference" href="http://testing.fr/cubicweb/cwsource/system">*ReST*</a></p>')
e.cw_attr_cache['content'] = 'du <em>html</em> <ref rql="CWUser X">users</ref>'
e.cw_attr_cache['content_format'] = 'text/html'
self.assertEqual(e.printable_value('content'),
@@ -541,7 +541,7 @@
e.cw_attr_cache['content'] = 'du *texte*'
e.cw_attr_cache['content_format'] = 'text/plain'
self.assertEqual(e.printable_value('content'),
- '<p>\ndu *texte*<br/>\n</p>')
+ '<p>\ndu *texte*<br/></p>')
e.cw_attr_cache['title'] = 'zou'
e.cw_attr_cache['content'] = '''\
a title
@@ -572,24 +572,21 @@
if tuple(int(i) for i in pygments.__version__.split('.')[:2]) >= (1, 3):
self.assertEqual(e.printable_value('data'),
'''<div class="highlight"><pre><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="mi">1</span>
-</pre></div>
-''')
+</pre></div>''')
else:
self.assertEqual(e.printable_value('data'),
'''<div class="highlight"><pre><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="mf">1</span>
-</pre></div>
-''')
+</pre></div>''')
else:
self.assertEqual(e.printable_value('data'),
'''<pre class="python">
<span style="color: #C00000;">lambda</span> <span style="color: #000000;">x</span><span style="color: #0000C0;">:</span> <span style="color: #0080C0;">1</span>
-</pre>
-''')
+</pre>''')
e = req.create_entity('File', data=Binary('*héhéhé*'), data_format=u'text/rest',
data_encoding=u'utf-8', data_name=u'toto.txt')
self.assertEqual(e.printable_value('data'),
- u'<p><em>héhéhé</em></p>\n')
+ u'<p><em>héhéhé</em></p>')
def test_printable_value_bad_html(self):
"""make sure we don't crash if we try to render invalid XHTML strings"""