1
|
|
|
#!/usr/bin/env python |
2
|
|
|
# encoding: utf-8 |
3
|
|
|
|
4
|
|
|
import mistune |
5
|
|
|
import unittest |
6
|
|
|
|
7
|
|
|
|
8
|
|
|
class mytest(unittest.TestCase): |
9
|
|
|
|
10
|
|
|
def testRender(self): |
11
|
|
|
self.assertEqual(False, False, 'Unit Test Start') |
12
|
|
|
|
13
|
|
|
def test_escape(self): |
14
|
|
|
ret = mistune.markdown('<div>**foo**</div>', escape=True) |
15
|
|
|
self.assertIn('>', ret, 'success') |
16
|
|
|
|
17
|
|
|
ret = mistune.markdown('this **foo** is <b>bold</b>', escape=True) |
18
|
|
|
self.assertIn('>', ret, 'success') |
19
|
|
|
|
20
|
|
|
def test_linebreak(self): |
21
|
|
|
ret = mistune.markdown('this **foo** \nis me') |
22
|
|
|
self.assertIsNot('<br>', ret, 'success') |
23
|
|
|
|
24
|
|
|
ret = mistune.markdown('this **foo** \nis me', hard_wrap=True) |
25
|
|
|
self.assertIn('<br>', ret, 'success') |
26
|
|
|
|
27
|
|
|
def test_safe_links(self): |
28
|
|
|
attack_vectors = ( |
29
|
|
|
# "standard" javascript pseudo protocol |
30
|
|
|
('javascript:alert`1`', ''), |
31
|
|
|
# bypass attempt |
32
|
|
|
('jAvAsCrIpT:alert`1`', ''), |
33
|
|
|
# javascript pseudo protocol with entities |
34
|
|
|
('javascript:alert`1`', 'javascript&colon;alert`1`'), |
35
|
|
|
# javascript pseudo protocol with prefix (dangerous in Chrome) |
36
|
|
|
('\x1Ajavascript:alert`1`', ''), |
37
|
|
|
# data-URI (dangerous in Firefox) |
38
|
|
|
('data:text/html,<script>alert`1`</script>', ''), |
39
|
|
|
# vbscript-URI (dangerous in Internet Explorer) |
40
|
|
|
('vbscript:msgbox', ''), |
41
|
|
|
# breaking out of the attribute |
42
|
|
|
('"<>', '"<>'), |
43
|
|
|
) |
44
|
|
|
for vector, expected in attack_vectors: |
45
|
|
|
# image |
46
|
|
|
self.assertIn('src="%s"' % expected, mistune.markdown('![atk](%s)' % vector), 'success') |
47
|
|
|
# link |
48
|
|
|
self.assertIn('href="%s"' % expected, mistune.markdown('[atk](%s)' % vector), 'success') |
49
|
|
|
|
50
|
|
|
def test_skip_style(self): |
51
|
|
|
ret = mistune.markdown( |
52
|
|
|
'foo\n<style>body{color:red}</style>', skip_style=True |
53
|
|
|
) |
54
|
|
|
self.assertEqual(ret, '<p>foo</p>\n', 'success') |
55
|
|
|
|
56
|
|
|
def test_use_xhtml(self): |
57
|
|
|
ret = mistune.markdown('foo\n\n----\n\nbar') |
58
|
|
|
self.assertIn('<hr>', ret, 'success') |
59
|
|
|
ret = mistune.markdown('foo\n\n----\n\nbar', use_xhtml=True) |
60
|
|
|
self.assertIn('<hr />', ret, 'success') |
61
|
|
|
|
62
|
|
|
ret = mistune.markdown('foo \nbar', use_xhtml=True) |
63
|
|
|
self.assertIn('<br />', ret, 'success') |
64
|
|
|
|
65
|
|
|
ret = mistune.markdown('![foo](bar "title")', use_xhtml=True) |
66
|
|
|
self.assertIn('<img src="bar" alt="foo" title="title" />', ret, 'success') |
67
|
|
|
|
68
|
|
|
def test_parse_inline_html(self): |
69
|
|
|
ret = mistune.markdown( |
70
|
|
|
'<div>**foo**</div>', parse_inline_html=True, escape=False |
71
|
|
|
) |
72
|
|
|
self.assertIsNot('<strong>', ret, 'success') |
73
|
|
|
ret = mistune.markdown( |
74
|
|
|
'<span>**foo**</span>', parse_inline_html=True, escape=False |
75
|
|
|
) |
76
|
|
|
self.assertIn('<span><strong>', ret, 'success') |
77
|
|
|
|
78
|
|
|
ret = mistune.markdown( |
79
|
|
|
'<a>http://lepture.com</a>', parse_inline_html=True, escape=False |
80
|
|
|
) |
81
|
|
|
self.assertIsNot('href', ret, 'sucess') |
82
|
|
|
|
83
|
|
|
def test_parse_block_html(self): |
84
|
|
|
ret = mistune.markdown( |
85
|
|
|
'<div>**foo**</div>', parse_block_html=True, escape=False |
86
|
|
|
) |
87
|
|
|
self.assertIn('<div><strong>', ret, 'success') |
88
|
|
|
ret = mistune.markdown( |
89
|
|
|
'<span>**foo**</span>', parse_block_html=True, escape=False |
90
|
|
|
) |
91
|
|
|
self.assertIsNot('<strong>', ret, 'success') |
92
|
|
|
|
93
|
|
|
def test_trigger_more_cases(self): |
94
|
|
|
markdown = mistune.Markdown( |
95
|
|
|
inline=mistune.InlineLexer, |
96
|
|
|
block=mistune.BlockLexer, |
97
|
|
|
skip_html=True |
98
|
|
|
) |
99
|
|
|
ret = markdown.render('foo[^foo]\n\n[^foo]: foo\n\n[^foo]: bar\n') |
100
|
|
|
self.assertIn('bar', ret, 'success') |
101
|
|
|
|
102
|
|
|
def test_not_escape_block_tags(self): |
103
|
|
|
text = '<h1>heading</h1> text' |
104
|
|
|
self.assertIn(text, mistune.markdown(text, escape=False), 'success') |
105
|
|
|
|
106
|
|
|
def test_not_escape_inline_tags(self): |
107
|
|
|
text = '<a name="top"></a>' |
108
|
|
|
self.assertIn(text, mistune.markdown(text, escape=False), 'success') |
109
|
|
|
|
110
|
|
|
def test_hard_wrap_renderer(self): |
111
|
|
|
text = 'foo\nnewline' |
112
|
|
|
renderer = mistune.Renderer(hard_wrap=True) |
113
|
|
|
func = mistune.Markdown(renderer=renderer) |
114
|
|
|
self.assertIn('<br>', func(text), 'success') |
115
|
|
|
|
116
|
|
|
|
117
|
|
|
if __name__ == '__main__': |
118
|
|
|
unittest.main() |
119
|
|
|
|