2013-07-29 19:19:04 +02:00
|
|
|
from __future__ import unicode_literals
|
2013-04-20 13:38:14 +02:00
|
|
|
|
2015-01-28 13:35:27 +01:00
|
|
|
from django.template import Context, Template
|
2016-05-10 18:46:47 +02:00
|
|
|
from django.test import SimpleTestCase, ignore_warnings
|
2015-01-28 13:35:27 +01:00
|
|
|
from django.utils import html, six, text
|
2016-05-10 18:46:47 +02:00
|
|
|
from django.utils.deprecation import RemovedInDjango20Warning
|
2015-11-07 14:30:20 +01:00
|
|
|
from django.utils.encoding import force_bytes
|
|
|
|
from django.utils.functional import lazy, lazystr
|
2015-01-28 13:35:27 +01:00
|
|
|
from django.utils.safestring import (
|
|
|
|
EscapeData, SafeData, mark_for_escaping, mark_safe,
|
|
|
|
)
|
2013-04-20 13:38:14 +02:00
|
|
|
|
|
|
|
lazybytes = lazy(force_bytes, bytes)
|
|
|
|
|
|
|
|
|
2014-12-23 22:29:01 +01:00
|
|
|
class customescape(six.text_type):
|
|
|
|
def __html__(self):
|
|
|
|
# implement specific and obviously wrong escaping
|
|
|
|
# in order to be able to tell for sure when it runs
|
|
|
|
return self.replace('<', '<<').replace('>', '>>')
|
|
|
|
|
|
|
|
|
2015-04-17 23:38:20 +02:00
|
|
|
class SafeStringTest(SimpleTestCase):
|
2013-04-20 13:38:14 +02:00
|
|
|
def assertRenderEqual(self, tpl, expected, **context):
|
|
|
|
context = Context(context)
|
|
|
|
tpl = Template(tpl)
|
|
|
|
self.assertEqual(tpl.render(context), expected)
|
|
|
|
|
|
|
|
def test_mark_safe(self):
|
|
|
|
s = mark_safe('a&b')
|
|
|
|
|
|
|
|
self.assertRenderEqual('{{ s }}', 'a&b', s=s)
|
|
|
|
self.assertRenderEqual('{{ s|force_escape }}', 'a&b', s=s)
|
|
|
|
|
2014-12-23 22:29:01 +01:00
|
|
|
def test_mark_safe_object_implementing_dunder_html(self):
|
|
|
|
e = customescape('<a&b>')
|
|
|
|
s = mark_safe(e)
|
|
|
|
self.assertIs(s, e)
|
|
|
|
|
|
|
|
self.assertRenderEqual('{{ s }}', '<<a&b>>', s=s)
|
|
|
|
self.assertRenderEqual('{{ s|force_escape }}', '<a&b>', s=s)
|
|
|
|
|
2013-04-20 13:38:14 +02:00
|
|
|
def test_mark_safe_lazy(self):
|
|
|
|
s = lazystr('a&b')
|
|
|
|
b = lazybytes(b'a&b')
|
|
|
|
|
2014-02-05 05:16:39 +01:00
|
|
|
self.assertIsInstance(mark_safe(s), SafeData)
|
|
|
|
self.assertIsInstance(mark_safe(b), SafeData)
|
2013-04-20 13:38:14 +02:00
|
|
|
self.assertRenderEqual('{{ s }}', 'a&b', s=mark_safe(s))
|
|
|
|
|
2014-12-23 21:49:05 +01:00
|
|
|
def test_mark_safe_object_implementing_dunder_str(self):
|
|
|
|
class Obj(object):
|
|
|
|
def __str__(self):
|
|
|
|
return '<obj>'
|
|
|
|
|
|
|
|
s = mark_safe(Obj())
|
|
|
|
|
|
|
|
self.assertRenderEqual('{{ s }}', '<obj>', s=s)
|
|
|
|
|
2014-12-23 22:29:01 +01:00
|
|
|
def test_mark_safe_result_implements_dunder_html(self):
|
|
|
|
self.assertEqual(mark_safe('a&b').__html__(), 'a&b')
|
|
|
|
|
|
|
|
def test_mark_safe_lazy_result_implements_dunder_html(self):
|
|
|
|
self.assertEqual(mark_safe(lazystr('a&b')).__html__(), 'a&b')
|
|
|
|
|
2016-05-10 18:46:47 +02:00
|
|
|
@ignore_warnings(category=RemovedInDjango20Warning)
|
2013-04-20 13:38:14 +02:00
|
|
|
def test_mark_for_escaping(self):
|
|
|
|
s = mark_for_escaping('a&b')
|
|
|
|
self.assertRenderEqual('{{ s }}', 'a&b', s=s)
|
|
|
|
self.assertRenderEqual('{{ s }}', 'a&b', s=mark_for_escaping(s))
|
|
|
|
|
2016-05-10 18:46:47 +02:00
|
|
|
@ignore_warnings(category=RemovedInDjango20Warning)
|
2014-12-23 22:29:01 +01:00
|
|
|
def test_mark_for_escaping_object_implementing_dunder_html(self):
|
|
|
|
e = customescape('<a&b>')
|
|
|
|
s = mark_for_escaping(e)
|
|
|
|
self.assertIs(s, e)
|
|
|
|
|
|
|
|
self.assertRenderEqual('{{ s }}', '<<a&b>>', s=s)
|
|
|
|
self.assertRenderEqual('{{ s|force_escape }}', '<a&b>', s=s)
|
|
|
|
|
2016-05-10 18:46:47 +02:00
|
|
|
@ignore_warnings(category=RemovedInDjango20Warning)
|
2013-04-20 13:38:14 +02:00
|
|
|
def test_mark_for_escaping_lazy(self):
|
|
|
|
s = lazystr('a&b')
|
|
|
|
b = lazybytes(b'a&b')
|
|
|
|
|
2014-02-05 05:16:39 +01:00
|
|
|
self.assertIsInstance(mark_for_escaping(s), EscapeData)
|
|
|
|
self.assertIsInstance(mark_for_escaping(b), EscapeData)
|
2013-04-20 13:38:14 +02:00
|
|
|
self.assertRenderEqual('{% autoescape off %}{{ s }}{% endautoescape %}', 'a&b', s=mark_for_escaping(s))
|
|
|
|
|
2016-05-10 18:46:47 +02:00
|
|
|
@ignore_warnings(category=RemovedInDjango20Warning)
|
2014-12-23 21:49:05 +01:00
|
|
|
def test_mark_for_escaping_object_implementing_dunder_str(self):
|
|
|
|
class Obj(object):
|
|
|
|
def __str__(self):
|
|
|
|
return '<obj>'
|
|
|
|
|
|
|
|
s = mark_for_escaping(Obj())
|
|
|
|
|
|
|
|
self.assertRenderEqual('{{ s }}', '<obj>', s=s)
|
|
|
|
|
2014-10-16 03:03:40 +02:00
|
|
|
def test_add_lazy_safe_text_and_safe_text(self):
|
|
|
|
s = html.escape(lazystr('a'))
|
|
|
|
s += mark_safe('&b')
|
|
|
|
self.assertRenderEqual('{{ s }}', 'a&b', s=s)
|
|
|
|
|
|
|
|
s = html.escapejs(lazystr('a'))
|
|
|
|
s += mark_safe('&b')
|
|
|
|
self.assertRenderEqual('{{ s }}', 'a&b', s=s)
|
|
|
|
|
|
|
|
s = text.slugify(lazystr('a'))
|
|
|
|
s += mark_safe('&b')
|
|
|
|
self.assertRenderEqual('{{ s }}', 'a&b', s=s)
|
2016-06-02 23:11:43 +02:00
|
|
|
|
|
|
|
def test_mark_safe_as_decorator(self):
|
|
|
|
"""
|
|
|
|
mark_safe used as a decorator leaves the result of a function
|
|
|
|
unchanged.
|
|
|
|
"""
|
|
|
|
def clean_string_provider():
|
|
|
|
return '<html><body>dummy</body></html>'
|
|
|
|
|
|
|
|
self.assertEqual(mark_safe(clean_string_provider)(), clean_string_provider())
|
|
|
|
|
|
|
|
def test_mark_safe_decorator_does_not_affect_dunder_html(self):
|
|
|
|
"""
|
|
|
|
mark_safe doesn't affect a callable that has an __html__() method.
|
|
|
|
"""
|
|
|
|
class SafeStringContainer:
|
|
|
|
def __html__(self):
|
|
|
|
return '<html></html>'
|
|
|
|
|
|
|
|
self.assertIs(mark_safe(SafeStringContainer), SafeStringContainer)
|
|
|
|
|
|
|
|
def test_mark_safe_decorator_does_not_affect_promises(self):
|
|
|
|
"""
|
|
|
|
mark_safe doesn't affect lazy strings (Promise objects).
|
|
|
|
"""
|
|
|
|
def html_str():
|
|
|
|
return '<html></html>'
|
|
|
|
|
|
|
|
lazy_str = lazy(html_str, str)()
|
|
|
|
self.assertEqual(mark_safe(lazy_str), html_str())
|