mirror of
https://github.com/encode/django-rest-framework.git
synced 2024-11-24 18:44:00 +03:00
6ec6ddea9b
Scripts with type="application/json" or "text/plain" are not executed, so we can use them to inject dynamic CSRF data, without allowing inline-script execution in Content-Security-Policy.
18 lines
601 B
Python
18 lines
601 B
Python
import re
|
|
|
|
from django.shortcuts import render
|
|
|
|
|
|
def test_base_template_with_context():
|
|
context = {'request': True, 'csrf_token': 'TOKEN'}
|
|
result = render({}, 'rest_framework/base.html', context=context)
|
|
assert re.search(r'"csrfToken": "TOKEN"', result.content.decode())
|
|
|
|
|
|
def test_base_template_with_no_context():
|
|
# base.html should be renderable with no context,
|
|
# so it can be easily extended.
|
|
result = render({}, 'rest_framework/base.html')
|
|
# note that this response will not include a valid CSRF token
|
|
assert re.search(r'"csrfToken": ""', result.content.decode())
|