0001-matomo-detect-html-tags-in-tracking_js-32948.patch

Lauréline Guérin, 04 février 2020 15:26

Voir les différences: en ligne côte à côte

Subject: [PATCH] matomo: detect html tags in tracking_js (#32948)

 hobo/matomo/forms.py       |  8 ++++++++
 tests/test_matomo_views.py | 39 +++++++++++++++++++++++---------------
 2 files changed, 32 insertions(+), 15 deletions(-)

     from django import forms
     from django.utils.translation import ugettext_lazy as _
     import lxml.html
     class SettingsForm(forms.Form):
         """
-...
             required=False,
             widget=forms.Textarea())
         def clean_tracking_js(self):
             value = self.cleaned_data['tracking_js']
             if lxml.html.fromstring(value).find('.//*'):
                 raise forms.ValidationError('Remove html tags.')
             return value
     class EnableForm(forms.Form):
         pass

         app = login(TestApp(application))
         # get matomo's validation page
         resp1 = app.get('/visits-tracking/enable-manual', status=200)
         assert re.search('<textarea.* name="tracking_js"', resp1.body)
         resp = app.get('/visits-tracking/enable-manual', status=200)
         assert re.search('<textarea.* name="tracking_js"', resp.body)
         # validate and get matomo's home page
         resp1.form['tracking_js'] = '...js_code_1...'
         resp2 = resp1.form.submit().follow()
         assert resp2.body.find('Manual configuration.')
         assert re.search('<textarea.* name="tracking_js"', resp2.body)
         assert resp2.body.find('...js_code_1...</textarea>') != -1
         assert resp2.body.find('<button class="submit-button">Save</button>') != -1
         resp.form['tracking_js'] = '...js_code_1...'
         resp = resp.form.submit().follow()
         assert resp.body.find('Manual configuration.')
         assert re.search('<textarea.* name="tracking_js"', resp.body)
         assert resp.body.find('...js_code_1...</textarea>') != -1
         assert resp.body.find('<button class="submit-button">Save</button>') != -1
         # update JS code on matomo's home page
         resp2.form['tracking_js'] = '...js_code_2...'
         resp3 = resp2.form.submit().follow()
         assert resp3.body.find('Manual configuration.') != -1
         assert re.search('<textarea.* name="tracking_js"', resp3.body)
         assert resp3.body.find('...js_code_2...</textarea>') != -1
         assert resp3.body.find('<button class="submit-button">Save</button>') != -1
         assert resp3.body.find('Good respect of user rights') != -1
         resp.form['tracking_js'] = '...js_code_2...'
         resp = resp.form.submit().follow()
         assert resp.body.find('Manual configuration.') != -1
         assert re.search('<textarea.* name="tracking_js"', resp.body)
         assert resp.body.find('...js_code_2...</textarea>') != -1
         assert resp.body.find('<button class="submit-button">Save</button>') != -1
         assert resp.body.find('Good respect of user rights') != -1
         # check html tags
         resp.form['tracking_js'] = '<script>...js_code_2...</script>'
         resp = resp.form.submit()
         assert '<ul class="errorlist"><li>Remove html tags.</li></ul>' in resp.text
         resp.form['tracking_js'] = '<script >'
         resp = resp.form.submit()
         assert '<ul class="errorlist"><li>Remove html tags.</li></ul>' in resp.text
     def test_available_options(admin_user):
         """check available buttons (manual/automatic configurations)"""
+    -

Projet

Général

Profil

Produits Entr'ouvert » Hobo

0001-matomo-detect-html-tags-in-tracking_js-32948.patch