Opened 3 years ago
Closed 3 years ago
#33236 closed Bug (fixed)
assertHTMLEqual() shows a confusing error with escaped HTML.
Reported by: | Pratyush Mittal | Owned by: | Pratyush Mittal |
---|---|---|---|
Component: | Testing framework | Version: | 3.2 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
The diff shown in the error message of assertHTMLEqual seems to be converting escaped HTML text to unescaped text.
This makes it hard to write tests when testing XSS vulnerabilities in our tags and filters. Though the assertions work correct, the error messages don't show the correct differences.
Steps to reproduce
from django.test import TestCase class UtilsTestCase(TestCase): def test_assersion(self): escaped = "<p><foo></p>" raw = "<p><foo></p>" self.assertHTMLEqual(escaped, raw)
Expected Output
AssertionError: <p> <foo> </p> != <p> <foo> </p> <p> - <foo> + <foo> </p>
Actual Output
AssertionError: <p> <foo> </p> != <p> <foo> </p> <p> <foo> </p>
Change History (4)
comment:1 by , 3 years ago
comment:2 by , 3 years ago
Owner: | changed from | to
---|---|
Patch needs improvement: | set |
Status: | new → assigned |
Summary: | assertHTMLEqual shows incorrect diff → assertHTMLEqual() shows a confusing error with escaped HTML. |
Triage Stage: | Unreviewed → Accepted |
comment:3 by , 3 years ago
Patch needs improvement: | unset |
---|---|
Triage Stage: | Accepted → Ready for checkin |
Note:
See TracTickets
for help on using tickets.
The bug is probably caused because the
__str__
method in theElement
class treats all its children the same. The children are either a tree or string. In the case of a string, the Python's HTMLParser unescapes the contents. For their string representation, we probably need to escape them back.I have tried to fix this in this pull-request: https://github.com/django/django/pull/15033