import re
from django.forms import CharField, Form, Media
from django.http import HttpRequest, HttpResponse
from django.middleware.csrf import (
CSRF_TOKEN_LENGTH,
CsrfViewMiddleware,_unmask_cipher_token,get_token,)from django.template import TemplateDoesNotExist, TemplateSyntaxError
from django.template.backends.dummy import TemplateStrings
from django.test import SimpleTestCase
class TemplateStringsTests(SimpleTestCase):
engine_class = TemplateStringsbackend_name = "dummy"
options = {}@classmethod
def setUpClass(cls):
super().setUpClass()
params = {"DIRS": [],
"APP_DIRS": True,
"NAME": cls.backend_name,
"OPTIONS": cls.options,
}cls.engine = cls.engine_class(params)
def test_from_string(self):
template = self.engine.from_string("Hello!\n")
content = template.render()
self.assertEqual(content, "Hello!\n")
def test_get_template(self):
template = self.engine.get_template("template_backends/hello.html")
content = template.render({"name": "world"})
self.assertEqual(content, "Hello world!\n")
def test_get_template_nonexistent(self):
with self.assertRaises(TemplateDoesNotExist) as e:
self.engine.get_template("template_backends/nonexistent.html")
self.assertEqual(e.exception.backend, self.engine)
def test_get_template_syntax_error(self):
# There's no way to trigger a syntax error with the dummy backend.
# The test still lives here to factor it between other backends.
if self.backend_name == "dummy":
self.skipTest("test doesn't apply to dummy backend")
with self.assertRaises(TemplateSyntaxError):
self.engine.get_template("template_backends/syntax_error.html")
def test_html_escaping(self):
template = self.engine.get_template("template_backends/hello.html")
context = {"name": '<script>alert("XSS!");</script>'}
content = template.render(context)
self.assertIn("<script>", content)
self.assertNotIn("<script>", content)
def test_django_html_escaping(self):
if self.backend_name == "dummy":
self.skipTest("test doesn't apply to dummy backend")
class TestForm(Form):
test_field = CharField()
media = Media(js=["my-script.js"])
form = TestForm()
template = self.engine.get_template("template_backends/django_escaping.html")
content = template.render({"media": media, "test_form": form})
expected = "{}\n\n{}\n\n{}".format(media, form, form["test_field"])
self.assertHTMLEqual(content, expected)
def check_tokens_equivalent(self, token1, token2):
self.assertEqual(len(token1), CSRF_TOKEN_LENGTH)
self.assertEqual(len(token2), CSRF_TOKEN_LENGTH)
token1, token2 = map(_unmask_cipher_token, (token1, token2))
self.assertEqual(token1, token2)
def test_csrf_token(self):
request = HttpRequest()
CsrfViewMiddleware(lambda req: HttpResponse()).process_view(
request, lambda r: None, (), {}
)template = self.engine.get_template("template_backends/csrf.html")
content = template.render(request=request)
expected = '<input type="hidden" name="csrfmiddlewaretoken" value="([^"]+)">'
match = re.match(expected, content) or re.match(
expected.replace('"', "'"), content
)self.assertTrue(match, "hidden csrftoken field not found in output")
self.check_tokens_equivalent(match[1], get_token(request))
def test_no_directory_traversal(self):
with self.assertRaises(TemplateDoesNotExist):
self.engine.get_template("../forbidden/template_backends/hello.html")
def test_non_ascii_characters(self):
template = self.engine.get_template("template_backends/hello.html")
content = template.render({"name": "Jérôme"})
self.assertEqual(content, "Hello Jérôme!\n")