Merge remote-tracking branch 'origin/master' into edge

Author: jonasbardino

mig/shared/safeinput.py

@@ -38,8 +38,8 @@
 from __future__ import print_function
 from __future__ import absolute_import
 
-import cgi
 import re
+import sys
 from email.utils import parseaddr, formataddr
 from string import ascii_letters, digits, printable
 from unicodedata import category, normalize, name as unicode_name
@@ -49,6 +49,15 @@
 except ImportError:
     nbformat = None
 
+PY2 = sys.version_info[0] < 3
+
+escape_html = None
+if PY2:
+    from cgi import escape as escape_html
+else:
+    from html import escape as escape_html
+assert escape_html is not None
+
 from mig.shared.base import force_unicode, force_utf8
 from mig.shared.defaults import src_dst_sep, username_charset, \
     username_max_length, session_id_charset, session_id_length, \
@@ -319,16 +328,18 @@ def __wrap_unicode_val(char):
 
 # Public functions
 
-def html_escape(contents):
-    """Uses cgi.escape() to encode contents in a html safe way. In that
+def html_escape(contents, quote=None):
+    """Use an stdlib escape to encode contents in a html safe way. In that
     way the resulting data can be included in a html page without risk
     of XSS vulnerabilities.
+    The optional quote argument is passed as-is to enable additional escaping
+    of single and double quotes.
     """
 
     # We use html_escape as a general protection even though it is
-    # mostly html (cgi) related
+    # mostly html request related
 
-    return cgi.escape(contents)
+    return escape_html(contents, quote)
 
 
 def valid_printable(contents, min_length=0, max_length=-1):
@@ -2270,7 +2281,9 @@ def __str__(self):
         return force_utf8(force_unicode(self.value))
 
 
-if __name__ == '__main__':
+def main(_print=print):
+    print = _print # workaround print as reserved word on PY2
+
     for test_cn in ('Firstname Lastname', 'Test Æøå', 'Test Überh4x0r',
                     'Harry S. Truman',  u'Unicode æøå', "Invalid D'Angelo",
                     'Test Maybe Invalid Źacãŕ', 'Test Invalid ?',
@@ -2468,3 +2481,6 @@ def __str__(self):
     print("Rejected:")
     for (key, val) in rejected.items():
         print("\t%s: %s" % (key, val))
+
+if __name__ == '__main__':
+    main()

tests/test_mig_shared_safeinput.py

@@ -0,0 +1,50 @@
+# -*- coding: utf-8 -*-
+#
+# --- BEGIN_HEADER ---
+#
+# addheader - add license header to all code modules.
+# Copyright (C) 2003-2024  The MiG Project by the Science HPC Center at UCPH
+#
+# This file is part of MiG.
+#
+# MiG is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# MiG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
+# USA.
+#
+# --- END_HEADER ---
+#
+
+"""Unit tests for the migrid module pointed to in the filename"""
+
+import importlib
+import os
+import sys
+
+sys.path.append(os.path.realpath(os.path.join(os.path.dirname(__file__), ".")))
+
+from support import MigTestCase, testmain
+
+
+class MigSharedSafeinput(MigTestCase):
+
+    def test_basic_import(self):
+        safeimport = importlib.import_module("mig.shared.safeinput")
+
+    def test_existing_main(self):
+        safeimport = importlib.import_module("mig.shared.safeinput")
+        safeimport.main(_print=lambda _: None)
+
+
+if __name__ == '__main__':
+    testmain()