diff options
author | Luke Plant <L.Plant.98@cantab.net> | 2015-06-15 11:17:09 +0100 |
---|---|---|
committer | Tim Graham <timograham@gmail.com> | 2015-06-29 08:16:19 -0400 |
commit | aef2a0ec59301022354c043744a6a2fa13583aa1 (patch) | |
tree | ad562a7c7c5379594b499e14574e181188a51f10 /tests/template_tests/test_custom.py | |
parent | 9ed82154bd0bd01c6195942db84302e791ad366f (diff) | |
download | django-aef2a0ec59301022354c043744a6a2fa13583aa1.tar.gz |
Fixed #25018 -- Changed simple_tag to apply conditional_escape() to its output.
This is a security hardening fix to help prevent XSS (and incorrect HTML)
for the common use case of simple_tag.
Thanks to Tim Graham for the review.
Diffstat (limited to 'tests/template_tests/test_custom.py')
-rw-r--r-- | tests/template_tests/test_custom.py | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/tests/template_tests/test_custom.py b/tests/template_tests/test_custom.py index 5d2907074d..dec97589d6 100644 --- a/tests/template_tests/test_custom.py +++ b/tests/template_tests/test_custom.py @@ -104,6 +104,28 @@ class SimpleTagTests(TagTestCase): with self.assertRaisesMessage(TemplateSyntaxError, entry[0]): self.engine.from_string("%s as var %%}" % entry[1][0:-2]) + def test_simple_tag_escaping_autoescape_off(self): + c = Context({'name': "Jack & Jill"}, autoescape=False) + t = self.engine.from_string("{% load custom %}{% escape_naive %}") + self.assertEqual(t.render(c), "Hello Jack & Jill!") + + def test_simple_tag_naive_escaping(self): + c = Context({'name': "Jack & Jill"}) + t = self.engine.from_string("{% load custom %}{% escape_naive %}") + self.assertEqual(t.render(c), "Hello Jack & Jill!") + + def test_simple_tag_explicit_escaping(self): + # Check we don't double escape + c = Context({'name': "Jack & Jill"}) + t = self.engine.from_string("{% load custom %}{% escape_explicit %}") + self.assertEqual(t.render(c), "Hello Jack & Jill!") + + def test_simple_tag_format_html_escaping(self): + # Check we don't double escape + c = Context({'name': "Jack & Jill"}) + t = self.engine.from_string("{% load custom %}{% escape_format_html %}") + self.assertEqual(t.render(c), "Hello Jack & Jill!") + def test_simple_tag_registration(self): # Test that the decorators preserve the decorated function's docstring, name and attributes. self.verify_tag(custom.no_params, 'no_params') |