1
|
|
|
import mistune |
2
|
|
|
|
3
|
|
|
|
4
|
|
|
def test_escape(): |
5
|
|
|
ret = mistune.markdown('<div>**foo**</div>', escape=True) |
6
|
|
|
assert '>' in ret |
7
|
|
|
|
8
|
|
|
ret = mistune.markdown('this **foo** is <b>bold</b>', escape=True) |
9
|
|
|
assert '>' in ret |
10
|
|
|
|
11
|
|
|
|
12
|
|
|
def test_linebreak(): |
13
|
|
|
ret = mistune.markdown('this **foo** \nis me') |
14
|
|
|
assert '<br>' not in ret |
15
|
|
|
|
16
|
|
|
ret = mistune.markdown('this **foo** \nis me', hard_wrap=True) |
17
|
|
|
assert '<br>' in ret |
18
|
|
|
|
19
|
|
|
|
20
|
|
|
def test_safe_links(): |
21
|
|
|
attack_vectors = ( |
22
|
|
|
# "standard" javascript pseudo protocol |
23
|
|
|
('javascript:alert`1`', ''), |
24
|
|
|
# bypass attempt |
25
|
|
|
('jAvAsCrIpT:alert`1`', ''), |
26
|
|
|
# javascript pseudo protocol with entities |
27
|
|
|
('javascript:alert`1`', 'javascript&colon;alert`1`'), |
28
|
|
|
# javascript pseudo protocol with prefix (dangerous in Chrome) |
29
|
|
|
('\x1Ajavascript:alert`1`', ''), |
30
|
|
|
# data-URI (dangerous in Firefox) |
31
|
|
|
('data:text/html,<script>alert`1`</script>', ''), |
32
|
|
|
# vbscript-URI (dangerous in Internet Explorer) |
33
|
|
|
('vbscript:msgbox', ''), |
34
|
|
|
# breaking out of the attribute |
35
|
|
|
('"<>', '"<>'), |
36
|
|
|
) |
37
|
|
|
for vector, expected in attack_vectors: |
38
|
|
|
# image |
39
|
|
|
assert 'src="%s"' % expected in mistune.markdown('![atk](%s)' % vector) |
40
|
|
|
# link |
41
|
|
|
assert 'href="%s"' % expected in mistune.markdown('[atk](%s)' % vector) |
42
|
|
|
|
43
|
|
|
|
44
|
|
|
def test_skip_style(): |
45
|
|
|
ret = mistune.markdown( |
46
|
|
|
'foo\n<style>body{color:red}</style>', skip_style=True |
47
|
|
|
) |
48
|
|
|
assert ret == '<p>foo</p>\n' |
49
|
|
|
|
50
|
|
|
|
51
|
|
|
def test_use_xhtml(): |
52
|
|
|
ret = mistune.markdown('foo\n\n----\n\nbar') |
53
|
|
|
assert '<hr>' in ret |
54
|
|
|
ret = mistune.markdown('foo\n\n----\n\nbar', use_xhtml=True) |
55
|
|
|
assert '<hr />' in ret |
56
|
|
|
|
57
|
|
|
ret = mistune.markdown('foo \nbar', use_xhtml=True) |
58
|
|
|
assert '<br />' in ret |
59
|
|
|
|
60
|
|
|
ret = mistune.markdown('![foo](bar "title")', use_xhtml=True) |
61
|
|
|
assert '<img src="bar" alt="foo" title="title" />' in ret |
62
|
|
|
|
63
|
|
|
|
64
|
|
|
def test_parse_inline_html(): |
65
|
|
|
ret = mistune.markdown( |
66
|
|
|
'<div>**foo**</div>', parse_inline_html=True, escape=False |
67
|
|
|
) |
68
|
|
|
assert '<strong>' not in ret |
69
|
|
|
ret = mistune.markdown( |
70
|
|
|
'<span>**foo**</span>', parse_inline_html=True, escape=False |
71
|
|
|
) |
72
|
|
|
assert '<span><strong>' in ret |
73
|
|
|
|
74
|
|
|
ret = mistune.markdown( |
75
|
|
|
'<a>http://lepture.com</a>', parse_inline_html=True, escape=False |
76
|
|
|
) |
77
|
|
|
assert 'href' not in ret |
78
|
|
|
|
79
|
|
|
|
80
|
|
|
def test_parse_block_html(): |
81
|
|
|
ret = mistune.markdown( |
82
|
|
|
'<div>**foo**</div>', parse_block_html=True, escape=False |
83
|
|
|
) |
84
|
|
|
assert '<div><strong>' in ret |
85
|
|
|
ret = mistune.markdown( |
86
|
|
|
'<span>**foo**</span>', parse_block_html=True, escape=False |
87
|
|
|
) |
88
|
|
|
assert '<strong>' not in ret |
89
|
|
|
|
90
|
|
|
|
91
|
|
|
def test_trigger_more_cases(): |
92
|
|
|
markdown = mistune.Markdown( |
93
|
|
|
inline=mistune.InlineLexer, |
94
|
|
|
block=mistune.BlockLexer, |
95
|
|
|
skip_html=True |
96
|
|
|
) |
97
|
|
|
ret = markdown.render('foo[^foo]\n\n[^foo]: foo\n\n[^foo]: bar\n') |
98
|
|
|
assert 'bar' not in ret |
99
|
|
|
|
100
|
|
|
|
101
|
|
|
def test_not_escape_block_tags(): |
102
|
|
|
text = '<h1>heading</h1> text' |
103
|
|
|
assert text in mistune.markdown(text, escape=False) |
104
|
|
|
|
105
|
|
|
|
106
|
|
|
def test_not_escape_inline_tags(): |
107
|
|
|
text = '<a name="top"></a>' |
108
|
|
|
assert text in mistune.markdown(text, escape=False) |
109
|
|
|
|
110
|
|
|
|
111
|
|
|
def test_hard_wrap_renderer(): |
112
|
|
|
text = 'foo\nnewline' |
113
|
|
|
renderer = mistune.Renderer(hard_wrap=True) |
114
|
|
|
func = mistune.Markdown(renderer=renderer) |
115
|
|
|
assert '<br>' in func(text) |
116
|
|
|
|