Opened 3 years ago

Closed 3 years ago

#33236 closed Bug (fixed)

assertHTMLEqual() shows a confusing error with escaped HTML.

Reported by: Pratyush Mittal Owned by: Pratyush Mittal
Component: Testing framework Version: 3.2
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

The diff shown in the error message of assertHTMLEqual seems to be converting escaped HTML text to unescaped text.

This makes it hard to write tests when testing XSS vulnerabilities in our tags and filters. Though the assertions work correct, the error messages don't show the correct differences.

Steps to reproduce

from django.test import TestCase

class UtilsTestCase(TestCase):
def test_assersion(self):
	escaped = "<p>&lt;foo&gt;</p>"
	raw = "<p><foo></p>"
	self.assertHTMLEqual(escaped, raw)

Expected Output

AssertionError: <p>
&lt;foo&gt;
</p> != <p>
<foo>
</p>
  <p>
- &lt;foo&gt;
+ <foo>
  </p>

Actual Output

AssertionError: <p>
<foo>
</p> != <p>
<foo>
</p>
  <p>
  <foo>
  </p>

Change History (4)

comment:1 by Pratyush Mittal, 3 years ago

The bug is probably caused because the __str__ method in the Element class treats all its children the same. The children are either a tree or string. In the case of a string, the Python's HTMLParser unescapes the contents. For their string representation, we probably need to escape them back.

I have tried to fix this in this pull-request: https://github.com/django/django/pull/15033

comment:2 by Mariusz Felisiak, 3 years ago

Owner: changed from nobody to Pratyush Mittal
Patch needs improvement: set
Status: newassigned
Summary: assertHTMLEqual shows incorrect diffassertHTMLEqual() shows a confusing error with escaped HTML.
Triage Stage: UnreviewedAccepted

comment:3 by Mariusz Felisiak, 3 years ago

Patch needs improvement: unset
Triage Stage: AcceptedReady for checkin

comment:4 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

Resolution: fixed
Status: assignedclosed

In f38458fe:

Fixed #33236 -- Fixed assertHTMLEqual() error messages for escaped HTML.

Note: See TracTickets for help on using tickets.
Back to Top