jlengrand/bugsink
1
0
Fork 0
mirror of https://github.com/jlengrand/bugsink.git synced 2026-03-10 08:01:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add one more test that proves safe use of mark_safe

Browse Source 
See #175
This commit is contained in:
Klaas van Schelven
2025-07-30 12:37:27 +02:00
parent 9d110bb0d3
commit 462a3169cd
2 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
theme/templatetags/issues.py
View File

@@ -256,7 +256,7 @@ def incomplete(value):
def _date_with_milis_html(timestamp): def _date_with_milis_html(timestamp):
# no_bandit_expl: constant string w/ substitution of dates/milis (escaped even) # no_bandit_expl: constant string w/ substitution of dates/milis (escaped even), see also TimestampWithMillisTagTest
return ( return (
mark_safe('<span class="whitespace-nowrap">') + # nosec mark_safe('<span class="whitespace-nowrap">') + # nosec
escape(date(timestamp, "j M G:i:s")) + mark_safe(".") + # nosec escape(date(timestamp, "j M G:i:s")) + mark_safe(".") + # nosec

25
theme/tests.py
View File

@@ -1,11 +1,13 @@
from unittest import TestCase as RegularTestCase from unittest import TestCase as RegularTestCase
from django.utils.safestring import SafeString from django.utils.safestring import SafeString
from django.utils.html import conditional_escape
from bugsink.pygments_extensions import choose_lexer_for_pattern, get_all_lexers from bugsink.pygments_extensions import choose_lexer_for_pattern, get_all_lexers
from events.utils import IncompleteList, IncompleteDict from events.utils import IncompleteList, IncompleteDict
from .templatetags.issues import _pygmentize_lines as actual_pygmentize_lines, format_var, pygmentize from .templatetags.issues import (
_pygmentize_lines as actual_pygmentize_lines, format_var, pygmentize, timestamp_with_millis)
def _pygmentize_lines(lines): def _pygmentize_lines(lines):
@@ -173,3 +175,24 @@ class TestPygmentizeEscapeMarkSafe(RegularTestCase):
# pygmentize does" is not very useful, as it may change in the future. # pygmentize does" is not very useful, as it may change in the future.
self.assertFalse("<script>" in line) self.assertFalse("<script>" in line)
self.assertFalse("</script>" in line) self.assertFalse("</script>" in line)
class TimestampWithMillisTagTest(RegularTestCase):
def test_float_input_produces_expected_safe_string(self):
ts = 1620130245.1234
self.assertEqual(
'<span class="whitespace-nowrap">4 May 12:10:45.<span class="text-xs">123</span></span>',
timestamp_with_millis(ts))
self.assertTrue(isinstance(timestamp_with_millis(ts), SafeString))
def test_timestamp_with_milis_is_not_a_target_for_html_injection(self):
# even though the string input is returned as-is for this case, the tag will not mark it as safe in the process.
ts = "<script>alert('hello');</script>"
self.assertEqual(
'&lt;script&gt;alert(&#x27;hello&#x27;);&lt;/script&gt;',
conditional_escape(timestamp_with_millis(ts)))
self.assertFalse(isinstance(timestamp_with_millis(ts), SafeString))