From 65bcfe0367f459348cf26a00215c93420906c3be Mon Sep 17 00:00:00 2001 From: =?utf8?q?Vladim=C3=ADr=20Vondru=C5=A1?= Date: Mon, 11 Dec 2017 00:39:11 +0100 Subject: [PATCH] theme: properly HTML-escape all content and test the results. --- pelican-theme/templates/archives.html | 4 +- pelican-theme/templates/article.html | 28 ++-- pelican-theme/templates/article_header.html | 2 +- pelican-theme/templates/author.html | 4 +- pelican-theme/templates/base.html | 50 ++++---- pelican-theme/templates/base_blog.html | 14 +- .../templates/base_blog_section.html | 4 +- pelican-theme/templates/category.html | 4 +- pelican-theme/templates/page.html | 26 ++-- pelican-theme/templates/pagination.html | 4 +- pelican-theme/templates/tag.html | 4 +- .../test/blog_html_escape/article-jumbo.html | 120 ++++++++++++++++++ .../test/blog_html_escape/article-jumbo.rst | 12 ++ .../test/blog_html_escape/article.html | 89 +++++++++++++ .../test/blog_html_escape/article.rst | 11 ++ .../author-and-in-author.html | 83 ++++++++++++ .../author-and-in-author2.html | 83 ++++++++++++ .../category-and-in-category.html | 83 ++++++++++++ .../category-and-in-category2.html | 83 ++++++++++++ .../test/blog_html_escape/index.html | 83 ++++++++++++ .../test/blog_html_escape/index2.html | 80 ++++++++++++ .../test/blog_html_escape/tag-and-in-tag.html | 83 ++++++++++++ .../blog_html_escape/tag-and-in-tag2.html | 83 ++++++++++++ .../test/layout_html_escape/index.html | 97 ++++++++++++++ .../test/page_html_escape/breadcrumb.html | 41 ++++++ .../test/page_html_escape/breadcrumb.rst | 4 + .../test/page_html_escape/content.html | 46 +++++++ .../test/page_html_escape/content.rst | 7 + .../test/page_html_escape/landing.html | 54 ++++++++ .../test/page_html_escape/landing.rst | 12 ++ pelican-theme/test/page_html_escape/page.html | 60 +++++++++ pelican-theme/test/page_html_escape/page.rst | 10 ++ pelican-theme/test/test_blog.py | 31 +++++ pelican-theme/test/test_layout.py | 39 ++++++ pelican-theme/test/test_page.py | 39 ++++++ 35 files changed, 1405 insertions(+), 72 deletions(-) create mode 100644 pelican-theme/test/blog_html_escape/article-jumbo.html create mode 100644 pelican-theme/test/blog_html_escape/article-jumbo.rst create mode 100644 pelican-theme/test/blog_html_escape/article.html create mode 100644 pelican-theme/test/blog_html_escape/article.rst create mode 100644 pelican-theme/test/blog_html_escape/author-and-in-author.html create mode 100644 pelican-theme/test/blog_html_escape/author-and-in-author2.html create mode 100644 pelican-theme/test/blog_html_escape/category-and-in-category.html create mode 100644 pelican-theme/test/blog_html_escape/category-and-in-category2.html create mode 100644 pelican-theme/test/blog_html_escape/index.html create mode 100644 pelican-theme/test/blog_html_escape/index2.html create mode 100644 pelican-theme/test/blog_html_escape/tag-and-in-tag.html create mode 100644 pelican-theme/test/blog_html_escape/tag-and-in-tag2.html create mode 100644 pelican-theme/test/layout_html_escape/index.html create mode 100644 pelican-theme/test/page_html_escape/breadcrumb.html create mode 100644 pelican-theme/test/page_html_escape/breadcrumb.rst create mode 100644 pelican-theme/test/page_html_escape/content.html create mode 100644 pelican-theme/test/page_html_escape/content.rst create mode 100644 pelican-theme/test/page_html_escape/landing.html create mode 100644 pelican-theme/test/page_html_escape/landing.rst create mode 100644 pelican-theme/test/page_html_escape/page.html create mode 100644 pelican-theme/test/page_html_escape/page.rst diff --git a/pelican-theme/templates/archives.html b/pelican-theme/templates/archives.html index bcafc4ec..41b76109 100644 --- a/pelican-theme/templates/archives.html +++ b/pelican-theme/templates/archives.html @@ -2,10 +2,10 @@ {% block head_links %} {% if articles_page and articles_page.has_previous() %} - + {% endif %} {% if articles_page and articles_page.has_next() %} - + {% endif %} {% endblock head_links %} diff --git a/pelican-theme/templates/article.html b/pelican-theme/templates/article.html index 03bcc708..49b4b221 100644 --- a/pelican-theme/templates/article.html +++ b/pelican-theme/templates/article.html @@ -1,25 +1,25 @@ {% extends "base_blog.html" %} -{% block title %}{{ article.title }} | {{ M_BLOG_NAME }}{% endblock %} +{% block title %}{{ article.title }} | {{ M_BLOG_NAME|e }}{% endblock %} {% block head %} {{- super() -}} {% if article.description %} - + {% endif %} - + - - + + {% if article.summary %} - - + + {% endif %} {% if article.cover %} - + - + {% else %} {% endif %} @@ -28,21 +28,21 @@ {% block content %} {% if article.cover %} -
+
-
+
-
{{ article.locale_date }}
+
{{ article.locale_date|e }}
{% if article.authors %} -
{% for author in article.authors %}{{ author }}{% endfor %}
+
{% for author in article.authors %}{{ author|e }}{% endfor %}
{% endif %}
{% set title = article.title.split(' — ') %} -

{{ title[0] }}

+

{{ title[0] }}

{% if title|length >= 2 %}

{{ title[1] }}

{% endif %} diff --git a/pelican-theme/templates/article_header.html b/pelican-theme/templates/article_header.html index ba5d7847..610762ad 100644 --- a/pelican-theme/templates/article_header.html +++ b/pelican-theme/templates/article_header.html @@ -1,5 +1,5 @@
-

+

- Showing only posts by {{ author }}. Show all posts. + Showing only posts by {{ author|e }}. Show all posts.
{% endblock %} diff --git a/pelican-theme/templates/base.html b/pelican-theme/templates/base.html index 70042623..97a2bc06 100644 --- a/pelican-theme/templates/base.html +++ b/pelican-theme/templates/base.html @@ -3,17 +3,17 @@ {% block head %} - {% block title %}{{ SITENAME }}{% endblock title %} + {% block title %}{{ SITENAME|e }}{% endblock title %} {% for href in M_CSS_FILES %} {% endfor %} {% block head_links %} {% endblock head_links %} {% if FEED_ALL_ATOM_URL %} - + {% endif %} {% if CATEGORY_FEED_ATOM_URL and category %} - + {% endif %} {% if M_THEME_COLOR %} @@ -26,8 +26,8 @@
- {%- if M_SITE_LOGO %}{% endif -%} - {{- M_SITE_LOGO_TEXT or SITENAME -}} + {%- if M_SITE_LOGO %}{% endif -%} + {{- (M_SITE_LOGO_TEXT or SITENAME)|e -}} {% if M_LINKS_NAVBAR1 or M_LINKS_NAVBAR2 %} @@ -37,13 +37,13 @@
    {% for title, link, slug, sub in M_LINKS_NAVBAR1 %} {% if not sub %} -
  1. {{ title }}
    2. +
  2. {{ title|e }}
    3. {% else %}
  3. - {{ title }} + {{ title|e }}
      {% for title, link, slug in sub %} -
    1. {{ title }}
      2. +
    2. {{ title|e }}
      3. {% endfor %}
    4. @@ -55,13 +55,13 @@
      {% for title, link, slug, sub in M_LINKS_NAVBAR2 %} {% if not sub %} -
    1. {{ title }}
      2. +
    2. {{ title|e }}
      3. {% else %}
    3. - {{ title }} + {{ title|e }}
        {% for title, link, slug in sub %} -
      1. {{ title }}
        2. +
      2. {{ title|e }}
        3. {% endfor %}
      4. @@ -87,13 +87,13 @@
      {% if M_LINKS_FOOTER1 %}

      - {%- if M_LINKS_FOOTER1[0][1] %}{% endif %} - {{- M_LINKS_FOOTER1[0][0] -}} + {%- if M_LINKS_FOOTER1[0][1] %}{% endif %} + {{- M_LINKS_FOOTER1[0][0]|e -}} {% if M_LINKS_FOOTER1[0][1] -%}{% endif -%}

        {% for title, link in M_LINKS_FOOTER1 %}{% if loop.index0 != 0 %} -
      • {% if title %}{{ title }}{% else %} {% endif %}
        • +
      • {% if title %}{{ title|e }}{% else %} {% endif %}
        • {% endif %}{% endfor %}
      {% endif %} @@ -101,13 +101,13 @@
      {% if M_LINKS_FOOTER2 %}

      - {%- if M_LINKS_FOOTER2[0][1] %}{% endif %} - {{- M_LINKS_FOOTER2[0][0] -}} + {%- if M_LINKS_FOOTER2[0][1] %}{% endif %} + {{- M_LINKS_FOOTER2[0][0]|e -}} {% if M_LINKS_FOOTER2[0][1] %}{% endif -%}

        {% for title, link in M_LINKS_FOOTER2 %}{% if loop.index0 != 0 %} -
      • {% if title %}{{ title }}{% else %} {% endif %}
        • +
      • {% if title %}{{ title|e }}{% else %} {% endif %}
        • {% endif %}{% endfor %}
      {% endif %} @@ -116,13 +116,13 @@
      {% if M_LINKS_FOOTER3 %}

      - {%- if M_LINKS_FOOTER3[0][1] %}{% endif %} - {{- M_LINKS_FOOTER3[0][0] -}} + {%- if M_LINKS_FOOTER3[0][1] %}{% endif %} + {{- M_LINKS_FOOTER3[0][0]|e -}} {% if M_LINKS_FOOTER3[0][1] %}{% endif -%}

        {% for title, link in M_LINKS_FOOTER3 %}{% if loop.index0 != 0 %} -
      • {% if title %}{{ title }}{% else %} {% endif %}
        • +
      • {% if title %}{{ title|e }}{% else %} {% endif %}
        • {% endif %}{% endfor %}
      {% endif %} @@ -130,20 +130,20 @@
      {% if M_LINKS_FOOTER4 %}

      - {%- if M_LINKS_FOOTER4[0][1] %}{% endif %} - {{- M_LINKS_FOOTER4[0][0] -}} + {%- if M_LINKS_FOOTER4[0][1] %}{% endif %} + {{- M_LINKS_FOOTER4[0][0]|e -}} {% if M_LINKS_FOOTER4[0][1] %}{% endif -%}

        {% for title, link in M_LINKS_FOOTER4 %}{% if loop.index0 != 0 %} -
      • {% if title %}{{ title }}{% else %} {% endif %}
        • +
      • {% if title %}{{ title|e }}{% else %} {% endif %}
        • {% endif %}{% endfor %}
      {% elif M_LINKS_FOOTER4 is not defined %} -

      Blog

      +

      Blog

      {% endif %} diff --git a/pelican-theme/templates/base_blog.html b/pelican-theme/templates/base_blog.html index c8672696..81649628 100644 --- a/pelican-theme/templates/base_blog.html +++ b/pelican-theme/templates/base_blog.html @@ -2,7 +2,7 @@ {% if not M_BLOG_NAME %}{% set M_BLOG_NAME = SITENAME %}{% endif %} {% extends 'base.html' %} -{% block title %}{{ M_BLOG_NAME }}{% endblock %} +{% block title %}{{ M_BLOG_NAME|e }}{% endblock %} {% block main %} {% if article and article.cover %} @@ -19,7 +19,7 @@

      {{ "Categories"|hyphenate(lang='en') }}

        {% for cat, null in categories %} -
      1. {{ cat }}
        2. +
      2. {{ cat|e }}
        3. {% endfor %}
      @@ -28,7 +28,7 @@

      {{ "Authors"|hyphenate(lang='en') }}

        {% for author, null in authors %} -
      1. {{ author }}
        2. +
      2. {{ author|e }}
        3. {% endfor %}
      @@ -39,7 +39,7 @@
        {% set max_articles_per_tag = tags|map(attribute='1')|map('length')|sort|last %} {% for tag, articles in tags|sort(attribute='0') %} -
      • {{ tag }}
        • +
      • {{ tag|e }}
        • {% endfor %}
      @@ -54,14 +54,14 @@
    4. (none yet)
      5. {% endif %} {% for cat, null in categories %} -
    5. {{ cat|hyphenate }}
      6. +
    6. {{ cat|hyphenate|e }}
      7. {% endfor %}
    {% if M_SHOW_AUTHOR_LIST and authors %}

    {{ "Authors"|hyphenate(lang='en') }}

      {% for author, null in authors %} -
    1. {{ author }}
      2. +
    2. {{ author|e }}
      3. {% endfor %}
    {% endif %} @@ -70,7 +70,7 @@
      {% set max_articles_per_tag = tags|map(attribute='1')|map('length')|sort|last %} {% for tag, articles in tags|sort(attribute='0') %} -
    • {{ tag }}
      • +
    • {{ tag|e }}
      • {% endfor %}
    {% endif %} diff --git a/pelican-theme/templates/base_blog_section.html b/pelican-theme/templates/base_blog_section.html index 194aaf9f..a4c71c4a 100644 --- a/pelican-theme/templates/base_blog_section.html +++ b/pelican-theme/templates/base_blog_section.html @@ -2,10 +2,10 @@ {% block head_links %} {% if articles_page.has_previous() %} - + {% endif %} {% if articles_page.has_next() %} - + {% endif %} {% endblock head_links %} diff --git a/pelican-theme/templates/category.html b/pelican-theme/templates/category.html index 8feae772..e7e4d237 100644 --- a/pelican-theme/templates/category.html +++ b/pelican-theme/templates/category.html @@ -1,9 +1,9 @@ {% extends "base_blog_section.html" %} -{% block title %}{{ category }} | {{ M_BLOG_NAME }}{% endblock %} +{% block title %}{{ category|e }} | {{ M_BLOG_NAME|e }}{% endblock %} {% block content_title %}
    - Showing only posts in {{ category }}. Show all posts. + Showing only posts in {{ category|e }}. Show all posts.
    {% endblock %} diff --git a/pelican-theme/templates/page.html b/pelican-theme/templates/page.html index 068e08c3..b7d3c9bc 100644 --- a/pelican-theme/templates/page.html +++ b/pelican-theme/templates/page.html @@ -4,32 +4,32 @@ {% block title %} {% if page.breadcrumb %} {% set breadcrumbs = page.breadcrumb.strip().split('\n') %} -{% for i in breadcrumbs %}{% set url, _, title = i.strip().partition(' ') %}{{ title }} » {% endfor %} +{% for i in breadcrumbs %}{% set url, _, title = i.strip().partition(' ') %}{{ title|e }} » {% endfor %} {% endif %} -{% if page.title == SITENAME %} +{% if page.title == SITENAME|e %} {{ page.title -}} {% else %} -{{ page.title }} | {{ SITENAME -}} +{{ page.title }} | {{ SITENAME|e -}} {% endif %} {% endblock %} {% block head %} {{- super() -}} {% if page.description %} - + {% endif %} - - + + {% if page.summary %} - - + + {% endif %} {% if page.cover %} - + - + {% else %} {% endif %} @@ -41,7 +41,7 @@ {% if page.css %} {% set styles = page.css.strip().split('\n') %} {% for style in styles %} - + {% endfor %} {% endif %} {% endblock %} @@ -60,7 +60,7 @@ {% endif %}
    {% if page.landing %} -
    +
    @@ -80,7 +80,7 @@ {% set breadcrumbs = page.breadcrumb.strip().split('\n') %} {% for i in breadcrumbs %} {% set url, _, title = i.strip().partition(' ') %} - {{ title }} » + {{ title|e }} » {% endfor %} {{ page.title }} diff --git a/pelican-theme/templates/pagination.html b/pelican-theme/templates/pagination.html index da0ae460..42a8dc5c 100644 --- a/pelican-theme/templates/pagination.html +++ b/pelican-theme/templates/pagination.html @@ -1,7 +1,7 @@ {% if DEFAULT_PAGINATION %}
    - {%- if articles_page.has_previous() %}« newer articles | {% endif -%} + {%- if articles_page.has_previous() %}« newer articles | {% endif -%} page {{ articles_page.number }} - {%- if articles_page.has_next() %} | older articles »{% endif -%} + {%- if articles_page.has_next() %} | older articles »{% endif -%}
    {% endif %} diff --git a/pelican-theme/templates/tag.html b/pelican-theme/templates/tag.html index b7cec94f..0f4e83b6 100644 --- a/pelican-theme/templates/tag.html +++ b/pelican-theme/templates/tag.html @@ -1,9 +1,9 @@ {% extends "base_blog_section.html" %} -{% block title %}Posts tagged {{ tag }} | {{ M_BLOG_NAME }}{% endblock %} +{% block title %}Posts tagged {{ tag|e }} | {{ M_BLOG_NAME|e }}{% endblock %} {% block content_title %}
    - Showing only posts tagged {{ tag }}. Show all posts. + Showing only posts tagged {{ tag|e }}. Show all posts.
    {% endblock %} diff --git a/pelican-theme/test/blog_html_escape/article-jumbo.html b/pelican-theme/test/blog_html_escape/article-jumbo.html new file mode 100644 index 00000000..f773b099 --- /dev/null +++ b/pelican-theme/test/blog_html_escape/article-jumbo.html @@ -0,0 +1,120 @@ + + + + + Article with <&> — a <&> jumbo one | <&> in blog name + + + + + + + + + + + + + + + + + +
    +
    + + +
    + + + diff --git a/pelican-theme/test/blog_html_escape/article-jumbo.rst b/pelican-theme/test/blog_html_escape/article-jumbo.rst new file mode 100644 index 00000000..419af20e --- /dev/null +++ b/pelican-theme/test/blog_html_escape/article-jumbo.rst @@ -0,0 +1,12 @@ +Article with <&> — a <&> jumbo one +################################## + +:date: 2017-12-10 +:cover: image.jpg?and&in&url="" +:author: And <&> in author +:description: And <&> in description. +:tags: And <&> in tag +:category: And <&> in category +:summary: And <&> in summary. + +And <&> in content. diff --git a/pelican-theme/test/blog_html_escape/article.html b/pelican-theme/test/blog_html_escape/article.html new file mode 100644 index 00000000..5a3d57e1 --- /dev/null +++ b/pelican-theme/test/blog_html_escape/article.html @@ -0,0 +1,89 @@ + + + + + Article with <&> in title | <&> in blog name + + + + + + + + + + + + + + + +
    +
    +
    +
    + + +
    +
    +
    + + + diff --git a/pelican-theme/test/blog_html_escape/article.rst b/pelican-theme/test/blog_html_escape/article.rst new file mode 100644 index 00000000..1d474b5f --- /dev/null +++ b/pelican-theme/test/blog_html_escape/article.rst @@ -0,0 +1,11 @@ +Article with <&> in title +######################### + +:date: 2017-12-09 +:author: And <&> in author +:description: And <&> in description. +:tags: And <&> in tag +:category: And <&> in category +:summary: And <&> in summary. + +And <&> in content. diff --git a/pelican-theme/test/blog_html_escape/author-and-in-author.html b/pelican-theme/test/blog_html_escape/author-and-in-author.html new file mode 100644 index 00000000..a6e2ef3d --- /dev/null +++ b/pelican-theme/test/blog_html_escape/author-and-in-author.html @@ -0,0 +1,83 @@ + + + + + Posts by And <&> in author | <&> in blog name + + + + + + +
    +
    +
    +
    +
    +
    + Showing only posts by And <&> in author. Show all posts. +
    + +
    page 1 | older articles »
    +
    + +
    +
    +
    + + + diff --git a/pelican-theme/test/blog_html_escape/author-and-in-author2.html b/pelican-theme/test/blog_html_escape/author-and-in-author2.html new file mode 100644 index 00000000..abd1f69c --- /dev/null +++ b/pelican-theme/test/blog_html_escape/author-and-in-author2.html @@ -0,0 +1,83 @@ + + + + + Posts by And <&> in author | <&> in blog name + + + + + + +
    +
    +
    +
    +
    +
    + Showing only posts by And <&> in author. Show all posts. +
    + +
    « newer articles | page 2
    +
    + +
    +
    +
    + + + diff --git a/pelican-theme/test/blog_html_escape/category-and-in-category.html b/pelican-theme/test/blog_html_escape/category-and-in-category.html new file mode 100644 index 00000000..3d2e32be --- /dev/null +++ b/pelican-theme/test/blog_html_escape/category-and-in-category.html @@ -0,0 +1,83 @@ + + + + + And <&> in category | <&> in blog name + + + + + + +
    +
    +
    +
    +
    +
    + Showing only posts in And <&> in category. Show all posts. +
    + +
    page 1 | older articles »
    +
    + +
    +
    +
    + + + \ No newline at end of file diff --git a/pelican-theme/test/blog_html_escape/category-and-in-category2.html b/pelican-theme/test/blog_html_escape/category-and-in-category2.html new file mode 100644 index 00000000..96ded621 --- /dev/null +++ b/pelican-theme/test/blog_html_escape/category-and-in-category2.html @@ -0,0 +1,83 @@ + + + + + And <&> in category | <&> in blog name + + + + + + +
    +
    +
    +
    +
    +
    + Showing only posts in And <&> in category. Show all posts. +
    + +
    « newer articles | page 2
    +
    + +
    +
    +
    + + + \ No newline at end of file diff --git a/pelican-theme/test/blog_html_escape/index.html b/pelican-theme/test/blog_html_escape/index.html new file mode 100644 index 00000000..65655639 --- /dev/null +++ b/pelican-theme/test/blog_html_escape/index.html @@ -0,0 +1,83 @@ + + + + + <&> in blog name + + + + + + +
    +
    +
    +
    +
    + +
    page 1 | older articles »
    +
    + +
    +
    +
    + + + diff --git a/pelican-theme/test/blog_html_escape/index2.html b/pelican-theme/test/blog_html_escape/index2.html new file mode 100644 index 00000000..05f65bbb --- /dev/null +++ b/pelican-theme/test/blog_html_escape/index2.html @@ -0,0 +1,80 @@ + + + + + <&> in blog name + + + + + + +
    +
    +
    +
    +
    + +
    « newer articles | page 2
    +
    + +
    +
    +
    + + + \ No newline at end of file diff --git a/pelican-theme/test/blog_html_escape/tag-and-in-tag.html b/pelican-theme/test/blog_html_escape/tag-and-in-tag.html new file mode 100644 index 00000000..feac1b7c --- /dev/null +++ b/pelican-theme/test/blog_html_escape/tag-and-in-tag.html @@ -0,0 +1,83 @@ + + + + + Posts tagged And <&> in tag | <&> in blog name + + + + + + +
    +
    +
    +
    +
    +
    + Showing only posts tagged And <&> in tag. Show all posts. +
    + +
    page 1 | older articles »
    +
    + +
    +
    +
    + + + \ No newline at end of file diff --git a/pelican-theme/test/blog_html_escape/tag-and-in-tag2.html b/pelican-theme/test/blog_html_escape/tag-and-in-tag2.html new file mode 100644 index 00000000..930150fd --- /dev/null +++ b/pelican-theme/test/blog_html_escape/tag-and-in-tag2.html @@ -0,0 +1,83 @@ + + + + + Posts tagged And <&> in tag | <&> in blog name + + + + + + +
    +
    +
    +
    +
    +
    + Showing only posts tagged And <&> in tag. Show all posts. +
    + +
    « newer articles | page 2
    +
    + +
    +
    +
    + + + \ No newline at end of file diff --git a/pelican-theme/test/layout_html_escape/index.html b/pelican-theme/test/layout_html_escape/index.html new file mode 100644 index 00000000..a05803f2 --- /dev/null +++ b/pelican-theme/test/layout_html_escape/index.html @@ -0,0 +1,97 @@ + + + + + A <&> blog + + + + + +
    +
    +
    +
    +
    +
    +

    Congratulations!

    + The m.css theme is alive and kicking! Now, feed it some articles so it doesn't feel so empty :) +
    +
    + +
    +
    +
    + + + diff --git a/pelican-theme/test/page_html_escape/breadcrumb.html b/pelican-theme/test/page_html_escape/breadcrumb.html new file mode 100644 index 00000000..53342136 --- /dev/null +++ b/pelican-theme/test/page_html_escape/breadcrumb.html @@ -0,0 +1,41 @@ + + + + + And <&> in breadcrumb » Page with <&> in title | <&> in site name + + + + + + + + + + + +
    +
    + +
    + + diff --git a/pelican-theme/test/page_html_escape/breadcrumb.rst b/pelican-theme/test/page_html_escape/breadcrumb.rst new file mode 100644 index 00000000..0a3dceca --- /dev/null +++ b/pelican-theme/test/page_html_escape/breadcrumb.rst @@ -0,0 +1,4 @@ +Page with <&> in title +###################### + +:breadcrumb: index.html?and&in&breadcrumb="" And <&> in breadcrumb diff --git a/pelican-theme/test/page_html_escape/content.html b/pelican-theme/test/page_html_escape/content.html new file mode 100644 index 00000000..bd66d3bf --- /dev/null +++ b/pelican-theme/test/page_html_escape/content.html @@ -0,0 +1,46 @@ + + + + + Escaping in content | <&> in site name + + + + + + + + + + + + + +
    +
    + +
    + + diff --git a/pelican-theme/test/page_html_escape/content.rst b/pelican-theme/test/page_html_escape/content.rst new file mode 100644 index 00000000..2bdfeb80 --- /dev/null +++ b/pelican-theme/test/page_html_escape/content.rst @@ -0,0 +1,7 @@ +Escaping in content +################### + +- `Self link <{filename}/page.rst>`_ (overriden URL) +- `Self link with more params added <{filename}/page.rst#so=this&works="bad">`_ +- `Link to other page <{filename}/landing.rst>`_ (it doesn't have URL overriden) +- `Link outside `_. diff --git a/pelican-theme/test/page_html_escape/landing.html b/pelican-theme/test/page_html_escape/landing.html new file mode 100644 index 00000000..3e8bd337 --- /dev/null +++ b/pelican-theme/test/page_html_escape/landing.html @@ -0,0 +1,54 @@ + + + + + <&> in site name + + + + + + + + + + + + + + + +
    +
    +
    +
    +
    +
    + +
    +
    +Landing text.
    +
    + +
    +
    +
    +
    +
    +
    + +

    Page text.

    + +
    +
    +
    +
    +
    + + diff --git a/pelican-theme/test/page_html_escape/landing.rst b/pelican-theme/test/page_html_escape/landing.rst new file mode 100644 index 00000000..b0c836c2 --- /dev/null +++ b/pelican-theme/test/page_html_escape/landing.rst @@ -0,0 +1,12 @@ +<&> in site name +################ + +:cover: image.jpg?and&in&url="" +:landing: + .. container:: m-row + + .. container:: m-col-m-6 m-push-m-3 + + Landing text. + +Page text. diff --git a/pelican-theme/test/page_html_escape/page.html b/pelican-theme/test/page_html_escape/page.html new file mode 100644 index 00000000..46eaaddd --- /dev/null +++ b/pelican-theme/test/page_html_escape/page.html @@ -0,0 +1,60 @@ + + + + + Page with <&> in title | <&> in site name + + + + + + + + + + + + + + +
    +
    +
    +
    +
    + +

    And <&> in header.

    + +
    +
    +
    +
    +
    +
    +
    +

    Page with <&> in title

    + +

    And <&> in content.

    + +
    +
    +
    +
    +
    +
    +
    + +

    And <&> in footer.

    + +
    +
    +
    +
    + + diff --git a/pelican-theme/test/page_html_escape/page.rst b/pelican-theme/test/page_html_escape/page.rst new file mode 100644 index 00000000..fd558dd4 --- /dev/null +++ b/pelican-theme/test/page_html_escape/page.rst @@ -0,0 +1,10 @@ +Page with <&> in title +###################### + +:url: page.html?and&overriden&url="" +:description: And <&> in description. +:summary: And <&> in summary. +:header: And <&> in header. +:footer: And <&> in footer. + +And <&> in content. diff --git a/pelican-theme/test/test_blog.py b/pelican-theme/test/test_blog.py index e530b40b..df495684 100644 --- a/pelican-theme/test/test_blog.py +++ b/pelican-theme/test/test_blog.py @@ -396,3 +396,34 @@ class CollapseFirstBothHideSummaryBoth(BlogTestCase): # Both classic and jumbo article should have summary shown self.assertEqual(*self.actual_expected_contents('article.html')) self.assertEqual(*self.actual_expected_contents('article-jumbo.html')) + +class HtmlEscape(BlogTestCase): + def __init__(self, *args, **kwargs): + super().__init__(__file__, 'html_escape', *args, **kwargs) + + def test(self): + self.run_pelican({ + 'M_BLOG_NAME': '<&> in blog name', + 'M_BLOG_URL': 'archives.html?and&in&url=""', + 'ARTICLE_URL': '{slug}.html?and&in&url=""', + 'AUTHOR_URL': 'author-{slug}.html?and&in&url=""', + 'CATEGORY_URL': 'category-{slug}.html?and&in&url=""', + 'TAG_URL': 'tag-{slug}.html?and&in&url=""', + 'M_LINKS_FOOTER2': [('An <&> in link', '#')], + 'M_SHOW_AUTHOR_LIST': True, + 'DEFAULT_PAGINATION': 1, + 'PAGINATION_PATTERNS': + [(1, 'index.html?and&in&url=""', '{name}.html'), + (2, 'index{number}.html?and&in&url=""', '{name}{number}.html')], + 'DIRECT_TEMPLATES': ['index', 'archives'], + 'PAGINATED_DIRECT_TEMPLATES': ['index', 'archives'], + 'FORMATTED_FIELDS': ['summary', 'description'] + }) + + # Verify that everything is properly escaped everywhere + self.assertEqual(*self.actual_expected_contents('index.html')) + self.assertEqual(*self.actual_expected_contents('index2.html')) + self.assertEqual(*self.actual_expected_contents('archives.html', 'index.html')) + self.assertEqual(*self.actual_expected_contents('archives2.html', 'index2.html')) + self.assertEqual(*self.actual_expected_contents('article.html')) + self.assertEqual(*self.actual_expected_contents('article-jumbo.html')) diff --git a/pelican-theme/test/test_layout.py b/pelican-theme/test/test_layout.py index 333a2564..9cd18158 100644 --- a/pelican-theme/test/test_layout.py +++ b/pelican-theme/test/test_layout.py @@ -151,3 +151,42 @@ class DisableBlogLinks(BaseTestCase): # There should be just the first column self.assertEqual(*self.actual_expected_contents('index.html')) + +class HtmlEscape(BaseTestCase): + def __init__(self, *args, **kwargs): + super().__init__(__file__, 'html_escape', *args, **kwargs) + + def test(self): + self.run_pelican({ + 'SITENAME': 'A <&> site', + 'M_BLOG_NAME': 'A <&> blog', + 'M_BLOG_URL': 'archives.html?and&in&url=""', + 'M_SITE_LOGO': 'image.png?and&in&url=""', + 'M_SITE_LOGO_TEXT': '<&>', + 'M_LINKS_NAVBAR1': [ + ('An <&> item', 'item.html?and&in&url=""', '', [ + ('A <&> subitem', 'sub.html?and&in&url=""', '')]), + ('Another <&> item', 'item.html?and&in&url=""', '', [])], + 'M_LINKS_NAVBAR2': [ + ('An <&> item', 'item.html?and&in&url=""', '', [ + ('A <&> subitem', 'sub.html?and&in&url=""', '')]), + ('Another <&> item', 'item.html?and&in&url=""', '', [])], + 'M_LINKS_FOOTER1': [ + ('An <&> item', 'item.html?and&in&url=""'), + ('A <&> subitem', 'sub.html?and&in&url=""')], + 'M_LINKS_FOOTER2': [ + ('An <&> item', 'item.html?and&in&url=""'), + ('A <&> subitem', 'sub.html?and&in&url=""')], + 'M_LINKS_FOOTER3': [ + ('An <&> item', 'item.html?and&in&url=""'), + ('A <&> subitem', 'sub.html?and&in&url=""')], + 'M_LINKS_FOOTER4': [ + ('An <&> item', 'item.html?and&in&url=""'), + ('A <&> subitem', 'sub.html?and&in&url=""')], + 'M_FINE_PRINT': 'An <&> in fine print.', + 'CATEGORY_URL': 'tag-{slug}.html?and&in&url=""' + }) + + # Verify that everything is properly escaped everywhere + self.assertEqual(*self.actual_expected_contents('index.html')) + self.assertEqual(*self.actual_expected_contents('archives.html', 'index.html')) diff --git a/pelican-theme/test/test_page.py b/pelican-theme/test/test_page.py index 070a49d6..34ba4cb0 100644 --- a/pelican-theme/test/test_page.py +++ b/pelican-theme/test/test_page.py @@ -1,3 +1,9 @@ +import unittest + +import pelican + +from distutils.version import LooseVersion + from test import PageTestCase class Page(PageTestCase): @@ -83,3 +89,36 @@ class TitleSitenameAlias(PageTestCase): # The page title should be just one name, not both self.assertEqual(*self.actual_expected_contents('page.html')) + +class HtmlEscape(PageTestCase): + def __init__(self, *args, **kwargs): + super().__init__(__file__, 'html_escape', *args, **kwargs) + + def test(self): + self.run_pelican({ + 'SITENAME': "<&> in site name", + 'FORMATTED_FIELDS': ['summary', 'description', 'landing', 'header', 'footer'], + 'PAGE_URL': '{slug}.html?and&in&url=""', + }) + + # Verify that everything is properly escaped everywhere. The landing + # page has the name same as site name and the title should contain just + # one. + self.assertEqual(*self.actual_expected_contents('page.html')) + self.assertEqual(*self.actual_expected_contents('landing.html')) + self.assertEqual(*self.actual_expected_contents('breadcrumb.html')) + + # This is broken in Pelican until https://github.com/getpelican/pelican/issues/2260 + # so we test in a separate xfail test case + @unittest.skipUnless(LooseVersion(pelican.__version__) > LooseVersion("3.7.1"), + "Pelican doesn't produce expected results in this version") + def test_content(self): + self.run_pelican({ + 'SITENAME': "<&> in site name", + 'FORMATTED_FIELDS': ['summary', 'description', 'landing', 'header', 'footer'], + 'PAGE_URL': '{slug}.html?and&in&url=""', + }) + + # Verify that also the Pelican-produced content has correctly escaped + # everything. + self.assertEqual(*self.actual_expected_contents('content.html')) -- 2.30.2