@@ -321,18 +321,24 @@ def test_render_idn(self):
321321 w = widgets .AdminURLFieldWidget ()
322322 self .assertHTMLEqual (
323323 conditional_escape (w .render ('test' , 'http://example-äüö.com' )),
324- '<p class="url">Currently:<a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com" /></p>'
324+ '<p class="url">Currently: <a href="http://xn--example--7za4pnc.com">http://example-äüö.com</a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com" /></p>'
325325 )
326326
327327 def test_render_quoting (self ):
328+ # WARNING: Don't use assertHTMLEqual in that testcase!
329+ # assertHTMLEqual will get rid of some escapes which are tested here!
328330 w = widgets .AdminURLFieldWidget ()
329- self .assertHTMLEqual (
330- conditional_escape ( w .render ('test' , 'http://example.com/<sometag>some text</sometag>' ) ),
331- '<p class="url">Currently:<a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="url" value="http://example.com/< sometag> some text< /sometag> " /></p>'
331+ self .assertEqual (
332+ w .render ('test' , 'http://example.com/<sometag>some text</sometag>' ),
333+ '<p class="url">Currently: <a href="http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="url" value="http://example.com/< sometag> some text< /sometag> " /></p>'
332334 )
333- self .assertHTMLEqual (
334- conditional_escape (w .render ('test' , 'http://example-äüö.com/<sometag>some text</sometag>' )),
335- '<p class="url">Currently:<a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change:<input class="vURLField" name="test" type="url" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>'
335+ self .assertEqual (
336+ w .render ('test' , 'http://example-äüö.com/<sometag>some text</sometag>' ),
337+ '<p class="url">Currently: <a href="http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E">http://example-äüö.com/<sometag>some text</sometag></a><br />Change: <input class="vURLField" name="test" type="url" value="http://example-äüö.com/<sometag>some text</sometag>" /></p>'
338+ )
339+ self .assertEqual (
340+ w .render ('test' , 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"' ),
341+ '<p class="url">Currently: <a href="http://www.example.com/%C3%A4%22%3E%3Cscript%3Ealert(%22XSS!%22)%3C/script%3E%22">http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"</a><br />Change: <input class="vURLField" name="test" type="url" value="http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"" /></p>'
336342 )
337343
338344
0 commit comments