django-rest-framework/tests/test_templates.py
Luka Jeran 6ec6ddea9b
Avoid inline script execution for injecting CSRF token (#7016)
Scripts with type="application/json" or "text/plain" are not executed, so we can
use them to inject dynamic CSRF data, without allowing inline-script execution
in Content-Security-Policy.
2022-11-29 16:10:32 +00:00

18 lines
601 B
Python

import re
from django.shortcuts import render
def test_base_template_with_context():
context = {'request': True, 'csrf_token': 'TOKEN'}
result = render({}, 'rest_framework/base.html', context=context)
assert re.search(r'"csrfToken": "TOKEN"', result.content.decode())
def test_base_template_with_no_context():
# base.html should be renderable with no context,
# so it can be easily extended.
result = render({}, 'rest_framework/base.html')
# note that this response will not include a valid CSRF token
assert re.search(r'"csrfToken": ""', result.content.decode())