Hello {{ name }}!
{% endmacro %}' + '{{ say_hello("") }}') + escaped_out = 'Hello <blink>foo</blink>!
' + assert t.render() == escaped_out + assert unicode(t.module) == escaped_out + assert escape(t.module) == escaped_out + assert t.module.say_hello('') == escaped_out + assert escape(t.module.say_hello('')) == escaped_out + + + def test_attr_filter(self): + env = SandboxedEnvironment() + tmpl = env.from_string('{{ 42|attr("__class__")|attr("__subclasses__")() }}') + self.assert_raises(SecurityError, tmpl.render) + + +def suite(): + suite = unittest.TestSuite() + suite.addTest(unittest.makeSuite(SandboxTestCase)) + return suite diff --git a/setup.py b/setup.py index f69fecc7c..3125599f1 100644 --- a/setup.py +++ b/setup.py @@ -76,7 +76,7 @@ 'Topic :: Software Development :: Libraries :: Python Modules', 'Topic :: Text Processing :: Markup :: HTML' ], - packages=['jinja2', 'jinja2.testsuite'], + packages=['jinja2', 'jinja2.testsuite', 'jinja2.testsuite.res'], features={ 'speedups': Feature("optional C speed-enhancements", standard=False,