From b56a629f69957d5f8eb9a2886ecbe7163694f22b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Tue, 3 Nov 2015 14:38:42 +0100
Subject: [PATCH 2/2] tests: add basic checks for WysiwygWidget (#8848)

---
 tests/test_widgets.py | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/tests/test_widgets.py b/tests/test_widgets.py
index b6f33c9..a8daf62 100644
--- a/tests/test_widgets.py
+++ b/tests/test_widgets.py
@@ -300,3 +300,42 @@ def test_date_widget():
     widget = DateWidget('test', date_in_the_past=True)
     mock_form_submission(req, widget, {'test': yesterday})
     assert not widget.has_error()
+
+
+def test_wysiwygwidget():
+    widget = WysiwygTextWidget('test')
+    form = MockHtmlForm(widget)
+    assert 'name="test"' in form.as_html
+    req.form = {}
+    assert widget.parse() is None
+
+    widget = WysiwygTextWidget('test')
+    mock_form_submission(req, widget, {'test': 'bla bla bla'})
+    assert not widget.has_error()
+    assert widget.parse() == 'bla bla bla'
+
+    import wcs.qommon.form
+    sanitize_html = wcs.qommon.form._sanitizeHTML
+    if sanitize_html:
+        widget = WysiwygTextWidget('test')
+        mock_form_submission(req, widget, {'test': '<p>bla bla bla</p>'})
+        assert not widget.has_error()
+        assert widget.parse() == '<p>bla bla bla</p>'
+
+        widget = WysiwygTextWidget('test')
+        mock_form_submission(req, widget, {'test': '<a href="#">a</a>'})
+        assert not widget.has_error()
+        assert widget.parse() == '<a href="#">a</a>'
+
+        widget = WysiwygTextWidget('test')
+        mock_form_submission(req, widget, {'test': '<a href="javascript:alert()">a</a>'})
+        assert not widget.has_error()
+        assert widget.parse() == '<a href="">a</a>' # javascript: got filtered
+
+    # check we get escaped HTML if feedparser _sanitizeHTML is missing
+    wcs.qommon.form._sanitizeHTML = None
+    widget = WysiwygTextWidget('test')
+    mock_form_submission(req, widget, {'test': '<p>bla bla bla</p>'})
+    assert not widget.has_error()
+    assert widget.parse() == '&lt;p&gt;bla bla bla&lt;/p&gt;'
+    wcs.qommon.form._sanitizeHTML = sanitize_html
-- 
2.6.2