mirrors/django-components
1
0
Fork 0
mirror of https://github.com/django-components/django-components.git synced 2025-08-04 14:28:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: move slot escaping inside Slot, remve Slot.escaped, and remove render kwarg escape_slots_content (#1211)

Browse source
This commit is contained in:
Juro Oravec 2025-05-25 17:24:45 +02:00 committed by GitHub
parent 046569e16d
commit 2e08af9a13
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 76 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

29
tests/test_slots.py
View file

@ -7,6 +7,7 @@ import re
import pytest
from django.template import Context, Template, TemplateSyntaxError
from django.utils.safestring import mark_safe
from django.template.base import NodeList, TextNode
from pytest_django.asserts import assertHTMLEqual
@ -174,6 +175,30 @@ class TestSlot:
"FROM_INSIDE_SLOT_FN | SLOT_DEFAULT",
)
def test_render_slot_unsafe_content__func(self):
def slot_fn1(ctx: SlotContext):
return mark_safe("<script>alert('XSS')</script>")
def slot_fn2(ctx: SlotContext):
return "<script>alert('XSS')</script>"
slot1: Slot = Slot(slot_fn1)
slot2: Slot = Slot(slot_fn2)
rendered1 = slot1()
rendered2 = slot2()
assert rendered1 == "<script>alert('XSS')</script>"
assert rendered2 == "&lt;script&gt;alert(&#x27;XSS&#x27;)&lt;/script&gt;"
def test_render_slot_unsafe_content__string(self):
slot1: Slot = Slot(mark_safe("<script>alert('XSS')</script>"))
slot2: Slot = Slot("<script>alert('XSS')</script>")
rendered1 = slot1()
rendered2 = slot2()
assert rendered1 == "<script>alert('XSS')</script>"
assert rendered2 == "&lt;script&gt;alert(&#x27;XSS&#x27;)&lt;/script&gt;"
# Part of the slot caching feature - test that static content slots reuse the slot function.
# See https://github.com/django-components/django-components/issues/1164#issuecomment-2854682354
def test_slots_reuse_functions__string(self):
@ -258,9 +283,7 @@ class TestSlot:
assert callable(second_slot_func.contents)
assert second_slot_func.nodelist is None
# NOTE: Both are functions, but different, because internally we wrap the function
# to escape the results.
assert first_slot_func.contents is not second_slot_func.contents
assert first_slot_func.contents is second_slot_func.contents
# Part of the slot caching feature - test that `Slot` instances with identical function
# passed as slots reuse the slot function.