From be68c524a23498548849e0d95bf4ae19a9d28ad8 Mon Sep 17 00:00:00 2001 From: "Yury V. Zaytsev" Date: Wed, 21 Nov 2018 16:41:03 +0100 Subject: [PATCH] Add test that verifies that HTML is correctly escaped in Browsable API views --- tests/test_templatetags.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/tests/test_templatetags.py b/tests/test_templatetags.py index 5d4f6a4e3..45bfd4aeb 100644 --- a/tests/test_templatetags.py +++ b/tests/test_templatetags.py @@ -305,6 +305,15 @@ class URLizerTests(TestCase): '"foo_set": [\n "http://api/foos/1/"\n], ' self._urlize_dict_check(data) + def test_template_render_with_autoescape(self): + """ + Test that HTML is correctly escaped in Browsable API views. + """ + template = Template("{% load rest_framework %}{{ content|urlize_quoted_links }}") + rendered = template.render(Context({'content': ' http://example.com'})) + assert rendered == '<script>alert()</script>' \ + ' http://example.com' + def test_template_render_with_noautoescape(self): """ Test if the autoescape value is getting passed to urlize_quoted_links filter. @@ -312,8 +321,8 @@ class URLizerTests(TestCase): template = Template("{% load rest_framework %}" "{% autoescape off %}{{ content|urlize_quoted_links }}" "{% endautoescape %}") - rendered = template.render(Context({'content': '"http://example.com"'})) - assert rendered == '"http://example.com"' + rendered = template.render(Context({'content': ' "http://example.com" '})) + assert rendered == ' "http://example.com" ' @unittest.skipUnless(coreapi, 'coreapi is not installed')