mirror of
https://gitlab.com/fdroid/fdroidserver.git
synced 2024-10-03 17:50:11 +02:00
lint: ban all dangerous HTML tags
* https://en.wikipedia.org/wiki/HTML_sanitization * https://asostack.com/enhance-your-google-play-store-description-with-rich-formatting-and-emojis-5f50ff354e5f
This commit is contained in:
parent
b2ca49b26c
commit
498ea5d609
@ -164,7 +164,7 @@ regex_checks = {
|
||||
_("Unnecessary leading space")),
|
||||
(re.compile(r'.*\s$'),
|
||||
_("Unnecessary trailing space")),
|
||||
(re.compile(r'.*<(iframe|link|script).*'),
|
||||
(re.compile(r'.*<(applet|base|body|button|embed|form|head|html|iframe|img|input|link|object|picture|script|source|style|svg|video).*', re.IGNORECASE),
|
||||
_("Forbidden HTML tags")),
|
||||
(re.compile(r'''.*\s+src=["']javascript:.*'''),
|
||||
_("Javascript in HTML src attributes")),
|
||||
|
@ -3,6 +3,7 @@
|
||||
# http://www.drdobbs.com/testing/unit-testing-with-python/240165163
|
||||
|
||||
import inspect
|
||||
import logging
|
||||
import optparse
|
||||
import os
|
||||
import shutil
|
||||
@ -23,6 +24,14 @@ import fdroidserver.lint
|
||||
class LintTest(unittest.TestCase):
|
||||
'''fdroidserver/lint.py'''
|
||||
|
||||
def setUp(self):
|
||||
logging.basicConfig(level=logging.INFO)
|
||||
self.basedir = os.path.join(localmodule, 'tests')
|
||||
self.tmpdir = os.path.abspath(os.path.join(self.basedir, '..', '.testfiles'))
|
||||
if not os.path.exists(self.tmpdir):
|
||||
os.makedirs(self.tmpdir)
|
||||
os.chdir(self.basedir)
|
||||
|
||||
def test_check_for_unsupported_metadata_files(self):
|
||||
config = dict()
|
||||
fdroidserver.common.fill_config_defaults(config)
|
||||
@ -31,8 +40,8 @@ class LintTest(unittest.TestCase):
|
||||
fdroidserver.lint.config = config
|
||||
self.assertTrue(fdroidserver.lint.check_for_unsupported_metadata_files())
|
||||
|
||||
tmpdir = os.path.join(localmodule, '.testfiles')
|
||||
tmptestsdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name, dir=tmpdir)
|
||||
tmptestsdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name,
|
||||
dir=self.tmpdir)
|
||||
self.assertFalse(fdroidserver.lint.check_for_unsupported_metadata_files(tmptestsdir + '/'))
|
||||
shutil.copytree(os.path.join(localmodule, 'tests', 'metadata'),
|
||||
os.path.join(tmptestsdir, 'metadata'),
|
||||
@ -42,6 +51,24 @@ class LintTest(unittest.TestCase):
|
||||
os.path.join(tmptestsdir, 'metadata'))
|
||||
self.assertTrue(fdroidserver.lint.check_for_unsupported_metadata_files(tmptestsdir + '/'))
|
||||
|
||||
def test_forbidden_html_tags(self):
|
||||
config = dict()
|
||||
fdroidserver.common.fill_config_defaults(config)
|
||||
fdroidserver.common.config = config
|
||||
fdroidserver.lint.config = config
|
||||
|
||||
app = {
|
||||
'Name': 'Bad App',
|
||||
'Summary': 'We pwn you',
|
||||
'Description': 'This way: <style><img src="</style><img src=x onerror=alert(1)//">',
|
||||
}
|
||||
|
||||
anywarns = False
|
||||
for warn in fdroidserver.lint.check_regexes(app):
|
||||
anywarns = True
|
||||
logging.debug(warn)
|
||||
self.assertTrue(anywarns)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
parser = optparse.OptionParser()
|
||||
|
Loading…
Reference in New Issue
Block a user