1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
Add/Change #501 (test_sanitize_remove_src_javascript fails due to HTMLParser bugfixes in cpython)
Add/Change #500 (test_sanitize_remove_script_elem fails due to HTMLParser bugfixes in cpython)
--- a/genshi/filters/tests/html.py
+++ b/genshi/filters/tests/html.py
@@ -365,9 +365,12 @@
self.assertEquals('', (html | HTMLSanitizer()).render())
html = HTML('<SCRIPT SRC="http://example.com/"></SCRIPT>')
self.assertEquals('', (html | HTMLSanitizer()).render())
- self.assertRaises(ParseError, HTML, '<SCR\0IPT>alert("foo")</SCR\0IPT>')
- self.assertRaises(ParseError, HTML,
- '<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>')
+ html = HTML('<SCR\0IPT>alert("foo")</SCR\0IPT>')
+ self.assertEquals('<SCR\x00IPT>alert("foo")',
+ (html | HTMLSanitizer()).render())
+ html = HTML('<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>')
+ self.assertEquals('<SCRIPT&XYZ; SRC="http://example.com/">',
+ (html | HTMLSanitizer()).render())
def test_sanitize_remove_onclick_attr(self):
html = HTML('<div onclick=\'alert("foo")\' />')
--- a/genshi/filters/tests/html.py
+++ b/genshi/filters/tests/html.py
@@ -437,9 +440,9 @@
# Case-insensitive protocol matching
html = HTML('<IMG SRC=\'JaVaScRiPt:alert("foo")\'>')
self.assertEquals('<img/>', (html | HTMLSanitizer()).render())
- # Grave accents (not parsed)
- self.assertRaises(ParseError, HTML,
- '<IMG SRC=`javascript:alert("RSnake says, \'foo\'")`>')
+ # Grave accents.
+ html = HTML('<IMG SRC=`javascript:alert("RSnake says, \'foo\'")`>')
+ self.assertEquals('<img/>', (html | HTMLSanitizer()).render())
# Protocol encoded using UTF-8 numeric entities
html = HTML('<IMG SRC=\'javascri'
'pt:alert("foo")\'>')
|
