@@ -299,18 +299,24 @@ def test_render_idn(self):
299299 w = widgets .AdminURLFieldWidget ()
300300 self .assertHTMLEqual (
301301 conditional_escape (w .render ('test' , 'http://example-äüö.com' )),
302- '<p class="url">Currently:<a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="text" value="http://example-äüö.com" /></p>'
302+ '<p class="url">Currently: <a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="text" value="http://example-äüö.com" /></p>'
303303 )
304304
305305 def test_render_quoting (self ):
306+ # WARNING: Don't use assertHTMLEqual in that testcase!
307+ # assertHTMLEqual will get rid of some escapes which are tested here!
306308 w = widgets .AdminURLFieldWidget ()
307- self .assertHTMLEqual (
308- conditional_escape ( w .render ('test' , 'http://example.com/<sometag>some text</sometag>' ) ),
309- '<p class="url">Currently:<a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="text" value="http://example.com/< sometag> some text< /sometag> " /></p>'
309+ self .assertEqual (
310+ w .render ('test' , 'http://example.com/<sometag>some text</sometag>' ),
311+ '<p class="url">Currently: <a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="text" value="http://example.com/< sometag> some text< /sometag> " /></p>'
310312 )
311- self .assertHTMLEqual (
312- conditional_escape (w .render ('test' , 'http://example-äüö.com/<sometag>some text</sometag>' )),
313- '<p class="url">Currently:<a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="text" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>'
313+ self .assertEqual (
314+ w .render ('test' , 'http://example-äüö.com/<sometag>some text</sometag>' ),
315+ '<p class="url">Currently: <a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="text" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>'
316+ )
317+ self .assertEqual (
318+ w .render ('test' , 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"' ),
319+ '<p class="url">Currently: <a href="http://www.example.com/%C3%A4%22%3E%3Cscript%3Ealert(%22XSS!%22)%3C/script%3E%22">http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"</a><br />Change: <input class="vURLField" name="test" type="text" value="http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"" /></p>'
314320 )
315321
316322
0 commit comments