fix tests

misago/core/templatetags/misago_json.py

@@ -3,6 +3,7 @@ import json
 from django import template
 from django.utils.safestring import mark_safe
 
+from ..utils import encode_json_html
 
 register = template.Library()
 
@@ -11,4 +12,4 @@ register = template.Library()
 def as_json(value):
     json_dump = json.dumps(value)
     # fixes XSS as described in #651
-    return mark_safe(json_dump.replace('<', r'\u003C'))
+    return mark_safe(encode_json_html(json_dump))

misago/core/tests/test_errorpages.py

@@ -5,6 +5,7 @@ from django.urls import reverse
 from misago.users.models import AnonymousUser
 
 from ..testproject.views import mock_custom_403_error_page, mock_custom_404_error_page
+from ..utils import encode_json_html
 
 
 class CSRFErrorViewTests(TestCase):
@@ -24,7 +25,8 @@ class ErrorPageViewsTests(TestCase):
         """banned error page has no show-stoppers"""
         response = self.client.get(reverse('raise-misago-banned'))
         self.assertContains(response, "misago:error-banned", status_code=403)
-        self.assertContains(response, "<p>Banned for test!</p>", status_code=403)
+        self.assertContains(
+            response, encode_json_html("<p>Banned for test!</p>"), status_code=403)
 
     def test_permission_denied_returns_403(self):
         """permission_denied error page has no show-stoppers"""

misago/core/tests/test_templatetags.py

@@ -4,6 +4,7 @@ from django.test import TestCase
 from .. import forms
 from ..shortcuts import paginate
 from ..templatetags import misago_batch
+from ..utils import encode_json_html
 
 
 class CaptureTests(TestCase):
@@ -242,7 +243,7 @@ class ShorthandsTests(TestCase):
 
 class JSONTests(TestCase):
     def test_json_filter(self):
-        """as_json filter renders dict as json"""
+        """as_json filter renders dict as safe json"""
         tpl_content = """
 {% load misago_json %}
 
@@ -251,8 +252,8 @@ class JSONTests(TestCase):
 
         tpl = Template(tpl_content)
         self.assertEqual(tpl.render(Context({
-            'value': {'he<llo': 'bo"b!'}
-        })).strip(), '{"he<llo": "bo\\"b!"}')
+            'value': {'he</script>llo': 'bo"b!'}
+        })).strip(), '{"he\u003C/script>llo": "bo\\"b!"}')
 
 
 class PageTitleTests(TestCase):

misago/core/utils.py

@@ -22,6 +22,10 @@ def format_plaintext_for_html(string):
     return html.linebreaks(html.urlize(html.escape(string)))
 
 
+def encode_json_html(string):
+    return string.replace('<', r'\u003C')
+
+
 """
 Turn ISO 8601 string into datetime object
 """

misago/users/tests/test_activation_views.py

@@ -2,6 +2,8 @@ from django.contrib.auth import get_user_model
 from django.test import TestCase
 from django.urls import reverse
 
+from misago.core.utils import encode_json_html
+
 from ..models import BAN_USERNAME, Ban
 from ..tokens import make_activation_token
 
@@ -29,7 +31,8 @@ class ActivationViewsTests(TestCase):
             'pk': test_user.pk,
             'token': activation_token,
         }))
-        self.assertContains(response, "<p>Nope!</p>", status_code=403)
+        self.assertContains(
+            response, encode_json_html("<p>Nope!</p>"), status_code=403)
 
         test_user = User.objects.get(pk=test_user.pk)
         self.assertEqual(test_user.requires_activation, 1)

misago/users/tests/test_decorators.py

@@ -1,5 +1,7 @@
 from django.urls import reverse
 
+from misago.core.utils import encode_json_html
+
 from ..models import BAN_IP, Ban
 from ..testutils import UserTestCase
 
@@ -38,7 +40,7 @@ class DenyBannedIPTests(UserTestCase):
         Ban.objects.create(
             check_type=BAN_IP,
             banned_value='83.*',
-            user_message='Ya got banned!')
+            user_message="Ya got banned!")
 
         response = self.client.post(reverse('misago:request-activation'))
         self.assertEqual(response.status_code, 200)
@@ -48,7 +50,8 @@ class DenyBannedIPTests(UserTestCase):
         Ban.objects.create(
             check_type=BAN_IP,
             banned_value='127.*',
-            user_message='Ya got banned!')
+            user_message="Ya got banned!")
 
         response = self.client.post(reverse('misago:request-activation'))
-        self.assertContains(response, '<p>Ya got banned!</p>', status_code=403)
+        self.assertContains(
+            response, encode_json_html("<p>Ya got banned!</p>"), status_code=403)

misago/users/tests/test_forgottenpassword_views.py

@@ -1,6 +1,8 @@
 from django.contrib.auth import get_user_model
 from django.urls import reverse
 
+from misago.core.utils import encode_json_html
+
 from ..models import BAN_USERNAME, Ban
 from ..testutils import UserTestCase
 from ..tokens import make_password_change_token
@@ -37,7 +39,8 @@ class ForgottenPasswordViewsTests(UserTestCase):
                 'pk': test_user.pk,
                 'token': password_token,
             }))
-        self.assertContains(response, '<p>Nope!</p>', status_code=403)
+        self.assertContains(
+            response, encode_json_html("<p>Nope!</p>"), status_code=403)
 
     def test_change_password_on_other_user(self):
         """change other user password errors"""