blob: 4f415201db1e45e066d13de18a740de2936726a1 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
--TEST--
escape types
--TEMPLATE--
1. autoescape 'html' |escape('js')
{% autoescape 'html' %}
<a onclick="alert("{{ msg|escape('js') }}")"></a>
{% endautoescape %}
2. autoescape 'html' |escape('js')
{% autoescape 'html' %}
<a onclick="alert("{{ msg|escape('js') }}")"></a>
{% endautoescape %}
3. autoescape 'js' |escape('js')
{% autoescape 'js' %}
<a onclick="alert("{{ msg|escape('js') }}")"></a>
{% endautoescape %}
4. no escape
{% autoescape false %}
<a onclick="alert("{{ msg }}")"></a>
{% endautoescape %}
5. |escape('js')|escape('html')
{% autoescape false %}
<a onclick="alert("{{ msg|escape('js')|escape('html') }}")"></a>
{% endautoescape %}
6. autoescape 'html' |escape('js')|escape('html')
{% autoescape 'html' %}
<a onclick="alert("{{ msg|escape('js')|escape('html') }}")"></a>
{% endautoescape %}
--DATA--
return array('msg' => "<>\n'\"")
--EXPECT--
1. autoescape 'html' |escape('js')
<a onclick="alert("\x3C\x3E\x0A\x27\x22")"></a>
2. autoescape 'html' |escape('js')
<a onclick="alert("\x3C\x3E\x0A\x27\x22")"></a>
3. autoescape 'js' |escape('js')
<a onclick="alert("\x3C\x3E\x0A\x27\x22")"></a>
4. no escape
<a onclick="alert("<>
'"")"></a>
5. |escape('js')|escape('html')
<a onclick="alert("\x3C\x3E\x0A\x27\x22")"></a>
6. autoescape 'html' |escape('js')|escape('html')
<a onclick="alert("\x3C\x3E\x0A\x27\x22")"></a>
|
