allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tvansteenbu...@apache.org
Subject [02/50] git commit: [#2835] avoid double-escaping solr text by escaping it only on the way out. tests
Date Wed, 08 May 2013 15:34:59 GMT
[#2835] avoid double-escaping solr text by escaping it only on the way out.  tests


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/69d75753
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/69d75753
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/69d75753

Branch: refs/heads/tv/docs
Commit: 69d757538ad8d5c30cffe491b56c8b701f7c4dd8
Parents: c8311bb
Author: Dave Brondsema <dbrondsema@slashdotmedia.com>
Authored: Thu Apr 25 20:20:12 2013 +0000
Committer: Dave Brondsema <dbrondsema@slashdotmedia.com>
Committed: Mon Apr 29 13:38:36 2013 +0000

----------------------------------------------------------------------
 Allura/allura/lib/search.py           |    4 +-
 Allura/allura/tests/unit/test_solr.py |   86 +++++++++++++++++++++++++++-
 2 files changed, 85 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/69d75753/Allura/allura/lib/search.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/search.py b/Allura/allura/lib/search.py
index 203e37a..d43af9c 100644
--- a/Allura/allura/lib/search.py
+++ b/Allura/allura/lib/search.py
@@ -46,8 +46,6 @@ def solarize(obj):
     text = doc['text']
     text = g.markdown.convert(text)
     doc['text'] = jinja2.Markup.escape(text).striptags()
-    # striptags decodes html entities, so we should escape them again
-    doc['text'] = jinja2.Markup.escape(doc['text'])
     return doc
 
 class SearchError(SolrError):
@@ -201,7 +199,7 @@ def search_app(q='', fq=None, app=True, **kw):
     score_url = url(request.path, params=params)
     params.update({'sort': date_url})
     date_url = url(request.path, params=params)
-    return dict(q=q, history=history, results=results or [],
+    return dict(q=q, history=history, results=list(results) or [],
                 count=count, limit=limit, page=page, search_error=search_error,
                 sort_score_url=score_url, sort_date_url=date_url,
                 sort_field=field)

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/69d75753/Allura/allura/tests/unit/test_solr.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/unit/test_solr.py b/Allura/allura/tests/unit/test_solr.py
index 5226f07..f431ea3 100644
--- a/Allura/allura/tests/unit/test_solr.py
+++ b/Allura/allura/tests/unit/test_solr.py
@@ -16,11 +16,15 @@
 #       under the License.
 
 import unittest
+
 import mock
 from nose.tools import assert_equal
+from markupsafe import Markup
 
+from allura.lib import helpers as h
+from allura.tests import decorators as td
 from allura.lib.solr import Solr
-from allura.lib.search import solarize
+from allura.lib.search import solarize, search_app
 
 class TestSolr(unittest.TestCase):
     @mock.patch('allura.lib.solr.pysolr')
@@ -72,5 +76,83 @@ class TestSolarize(unittest.TestCase):
         obj = mock.MagicMock()
         obj.index.return_value = {'text': '<script>alert(1)</script>'}
         assert_equal(solarize(obj), {'text': ''})
+
         obj.index.return_value = {'text': '&lt;script&gt;alert(1)&lt;/script&gt;'}
-        assert_equal(solarize(obj), {'text': '&lt;script&gt;alert(1)&lt;/script&gt;'})
+        assert_equal(solarize(obj), {'text': '<script>alert(1)</script>'})
+
+
+class TestSearch_app(unittest.TestCase):
+
+    @td.with_wiki
+    @mock.patch('allura.lib.search.url')
+    @mock.patch('allura.lib.search.request')
+    def test_basic(self, req, url_fn):
+        req.GET = dict()
+        req.path = '/test/search'
+        url_fn.side_effect = ['the-score-url', 'the-date-url']
+        with h.push_context('test', 'wiki', neighborhood='Projects'):
+            resp = search_app(q='foo bar')
+        assert_equal(resp, dict(
+            q='foo bar',
+            history=None,
+            results=[],
+            count=0,
+            limit=25,
+            page=0,
+            search_error=None,
+            sort_score_url='the-score-url',
+            sort_date_url='the-date-url',
+            sort_field='score',
+        ))
+
+    @td.with_wiki
+    @mock.patch('allura.lib.search.g.solr.search')
+    @mock.patch('allura.lib.search.url')
+    @mock.patch('allura.lib.search.request')
+    def test_escape_solr_text(self, req, url_fn, solr_search):
+        req.GET = dict()
+        req.path = '/test/wiki/search'
+        url_fn.side_effect = ['the-score-url', 'the-date-url']
+        results = mock.Mock(hits=2, docs=[
+                {'id': 123, 'type_s':'WikiPage Snapshot', 'url_s':'/test/wiki/Foo', 'version_i':2},
+                {'id': 321, 'type_s':'Post'},
+            ], highlighting={
+                123: dict(title='some #ALLURA-HIGHLIGHT-START#Foo#ALLURA-HIGHLIGHT-END# stuff',
+                         text='scary <script>alert(1)</script> bar'),
+                321: dict(title='blah blah',
+                         text='less scary but still dangerous &lt;script&gt;alert(1)&lt;/script&gt;
'
+                              'blah #ALLURA-HIGHLIGHT-START#bar#ALLURA-HIGHLIGHT-END# foo
foo'),
+            },
+        )
+        results.__iter__ = lambda self: iter(results.docs)
+        solr_search.return_value = results
+        with h.push_context('test', 'wiki', neighborhood='Projects'):
+            resp = search_app(q='foo bar')
+
+        assert_equal(resp, dict(
+            q='foo bar',
+            history=None,
+            count=2,
+            limit=25,
+            page=0,
+            search_error=None,
+            sort_score_url='the-score-url',
+            sort_date_url='the-date-url',
+            sort_field='score',
+            results=[{
+                'id': 123,
+                'type_s': 'WikiPage Snapshot',
+                'version_i': 2,
+                'url_s': '/test/wiki/Foo?version=2',
+                # highlighting works
+                'title_match': Markup('some <strong>Foo</strong> stuff'),
+                # HTML in the solr plaintext results get escaped
+                'text_match': Markup('scary &lt;script&gt;alert(1)&lt;/script&gt;
bar'),
+                }, {
+                'id': 321,
+                'type_s': 'Post',
+                'title_match': Markup('blah blah'),
+                # highlighting in text
+                'text_match': Markup('less scary but still dangerous &amp;lt;script&amp;gt;alert(1)&amp;lt;/script&amp;gt;
blah <strong>bar</strong> foo foo'),
+                }]
+        ))


Mime
View raw message