mirrors/fdroidserver
1
0
Fork 0
mirror of https://github.com/f-droid/fdroidserver.git synced 2025-11-05 15:00:30 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

lint: ban all dangerous HTML tags

Browse source 
* https://en.wikipedia.org/wiki/HTML_sanitization
* https://asostack.com/enhance-your-google-play-store-description-with-rich-formatting-and-emojis-5f50ff354e5f
This commit is contained in:
Hans-Christoph Steiner 2018-02-27 12:09:54 +01:00
parent b2ca49b26c
commit 498ea5d609
2 changed files with 30 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
fdroidserver/lint.py
View file

@ -164,7 +164,7 @@ regex_checks = {
_("Unnecessary leading space")), _("Unnecessary leading space")),
(re.compile(r'.*\s$'), (re.compile(r'.*\s$'),
_("Unnecessary trailing space")), _("Unnecessary trailing space")),
(re.compile(r'.*<(iframe|link|script).*'), (re.compile(r'.*<(applet|base|body|button|embed|form|head|html|iframe|img|input|link|object|picture|script|source|style|svg|video).*', re.IGNORECASE),
_("Forbidden HTML tags")), _("Forbidden HTML tags")),
(re.compile(r'''.*\s+src=["']javascript:.*'''), (re.compile(r'''.*\s+src=["']javascript:.*'''),
_("Javascript in HTML src attributes")), _("Javascript in HTML src attributes")),

31
tests/lint.TestCase
View file

@ -3,6 +3,7 @@
# http://www.drdobbs.com/testing/unit-testing-with-python/240165163 # http://www.drdobbs.com/testing/unit-testing-with-python/240165163
import inspect import inspect
import logging
import optparse import optparse
import os import os
import shutil import shutil
@ -23,6 +24,14 @@ import fdroidserver.lint
class LintTest(unittest.TestCase): class LintTest(unittest.TestCase):
'''fdroidserver/lint.py''' '''fdroidserver/lint.py'''
def setUp(self):
logging.basicConfig(level=logging.INFO)
self.basedir = os.path.join(localmodule, 'tests')
self.tmpdir = os.path.abspath(os.path.join(self.basedir, '..', '.testfiles'))
if not os.path.exists(self.tmpdir):
os.makedirs(self.tmpdir)
os.chdir(self.basedir)
def test_check_for_unsupported_metadata_files(self): def test_check_for_unsupported_metadata_files(self):
config = dict() config = dict()
fdroidserver.common.fill_config_defaults(config) fdroidserver.common.fill_config_defaults(config)
@ -31,8 +40,8 @@ class LintTest(unittest.TestCase):
fdroidserver.lint.config = config fdroidserver.lint.config = config
self.assertTrue(fdroidserver.lint.check_for_unsupported_metadata_files()) self.assertTrue(fdroidserver.lint.check_for_unsupported_metadata_files())
tmpdir = os.path.join(localmodule, '.testfiles') tmptestsdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name,
tmptestsdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name, dir=tmpdir) dir=self.tmpdir)
self.assertFalse(fdroidserver.lint.check_for_unsupported_metadata_files(tmptestsdir + '/')) self.assertFalse(fdroidserver.lint.check_for_unsupported_metadata_files(tmptestsdir + '/'))
shutil.copytree(os.path.join(localmodule, 'tests', 'metadata'), shutil.copytree(os.path.join(localmodule, 'tests', 'metadata'),
os.path.join(tmptestsdir, 'metadata'), os.path.join(tmptestsdir, 'metadata'),
@ -42,6 +51,24 @@ class LintTest(unittest.TestCase):
os.path.join(tmptestsdir, 'metadata')) os.path.join(tmptestsdir, 'metadata'))
self.assertTrue(fdroidserver.lint.check_for_unsupported_metadata_files(tmptestsdir + '/')) self.assertTrue(fdroidserver.lint.check_for_unsupported_metadata_files(tmptestsdir + '/'))
def test_forbidden_html_tags(self):
config = dict()
fdroidserver.common.fill_config_defaults(config)
fdroidserver.common.config = config
fdroidserver.lint.config = config
app = {
'Name': 'Bad App',
'Summary': 'We pwn you',
'Description': 'This way: <style><img src="</style><img src=x onerror=alert(1)//">',
}
anywarns = False
for warn in fdroidserver.lint.check_regexes(app):
anywarns = True
logging.debug(warn)
self.assertTrue(anywarns)
if __name__ == "__main__": if __name__ == "__main__":
parser = optparse.OptionParser() parser = optparse.OptionParser()