b208f71b9b
* gnu/packages/python.scm (python-genshi, python2-genshi): New variables. * gnu/packages/patches/python-genshi-add-support-for-python-3.4-AST.patch: New file. * gnu/packages/patches/python-genshi-buildable-on-python-2.7.patch: New file. * gnu/packages/patches/python-genshi-disable-speedups-on-python-3.3.patch: New file. * gnu/packages/patches/python-genshi-fix-tests-on-python-3.5.patch: New file. * gnu/packages/patches/python-genshi-isstring-helper.patch: New file. * gnu/packages/patches/python-genshi-stripping-of-unsafe-script-tags.patch: New file. * gnu/local.mk (dist_patch_DATA): Add them. Signed-off-by: Arun Isaac <arunisaac@systemreboot.net>
52 lines
2.2 KiB
Diff
52 lines
2.2 KiB
Diff
From 0769be04c3891ae5c724c6779ba13d1d0f53b4ae Mon Sep 17 00:00:00 2001
|
|
From: Simon Cross <hodgestar@gmail.com>
|
|
Date: Sun, 16 Feb 2014 18:25:17 +0000
|
|
Subject: [PATCH 01/15] Also allow stripping of unsafe script tags (Python 3.4
|
|
parses the second example as a tag whose name is script&xyz).
|
|
|
|
---
|
|
genshi/filters/tests/test_html.py | 14 ++++++++++----
|
|
1 file changed, 10 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/genshi/filters/tests/test_html.py b/genshi/filters/tests/test_html.py
|
|
index 0c6cfe1..45ec0da 100644
|
|
--- a/genshi/filters/tests/test_html.py
|
|
+++ b/genshi/filters/tests/test_html.py
|
|
@@ -368,12 +368,16 @@ def StyleSanitizer():
|
|
|
|
class HTMLSanitizerTestCase(unittest.TestCase):
|
|
|
|
- def assert_parse_error_or_equal(self, expected, exploit):
|
|
+ def assert_parse_error_or_equal(self, expected, exploit,
|
|
+ allow_strip=False):
|
|
try:
|
|
html = HTML(exploit)
|
|
except ParseError:
|
|
return
|
|
- self.assertEquals(expected, (html | HTMLSanitizer()).render())
|
|
+ sanitized_html = (html | HTMLSanitizer()).render()
|
|
+ if not sanitized_html and allow_strip:
|
|
+ return
|
|
+ self.assertEquals(expected, sanitized_html)
|
|
|
|
def test_sanitize_unchanged(self):
|
|
html = HTML(u'<a href="#">fo<br />o</a>')
|
|
@@ -416,10 +420,12 @@ class HTMLSanitizerTestCase(unittest.TestCase):
|
|
html = HTML(u'<SCRIPT SRC="http://example.com/"></SCRIPT>')
|
|
self.assertEquals('', (html | HTMLSanitizer()).render())
|
|
src = u'<SCR\0IPT>alert("foo")</SCR\0IPT>'
|
|
- self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src)
|
|
+ self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src,
|
|
+ allow_strip=True)
|
|
src = u'<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>'
|
|
self.assert_parse_error_or_equal('<SCRIPT&XYZ; '
|
|
- 'SRC="http://example.com/">', src)
|
|
+ 'SRC="http://example.com/">', src,
|
|
+ allow_strip=True)
|
|
|
|
def test_sanitize_remove_onclick_attr(self):
|
|
html = HTML(u'<div onclick=\'alert("foo")\' />')
|
|
--
|
|
2.12.0
|
|
|