aboutsummaryrefslogtreecommitdiffstats
path: root/testing (unfollow)
Commit message (Collapse)AuthorFilesLines
2022-02-16Make json filter safeLibravatar René Kijewski3-2/+64
Previously the built-in json filter had an issue that made it unsafe to use in HTML data. When used in HTML attributes an attacker who is able to supply an arbitrary string that should be JSON encoded could close the containing HTML element e.g. with `"</div>"`, and write arbitrary HTML code afterwards as long as they use apostrophes instead of quotation marks. The programmer could make this use case safe by explicitly escaping the JSON result: `{{data|json|escape}}`. In a `<script>` context the json filter was not usable at all, because in scripts HTML escaped entities are not parsed outside of XHTML documents. Without using the safe filter an attacker could close the current script using `"</script>"`. This PR fixes the problem by always escaping less-than, greater-than, ampersand, and apostrophe characters using their JSON unicode escape sequence `\u00xx`. Unless the programmer explicitly uses the safe filter, quotation marks are HTML encoded as `&quot`. In scripts the programmer should use the safe filter, otherwise not.
2022-02-07Add markdown filterLibravatar René Kijewski2-1/+79
2022-01-31Use exact trybuild versionLibravatar René Kijewski1-1/+1
Sometimes for no obvious reason an old version is selected and the output is different in just about every ui test. Just pin it to the currently newest version and test if an updated version still works when a new version gets released.
2022-01-31Remove `panic!()` in `loop.cycle([])`Libravatar René Kijewski2-0/+22
2022-01-31Make is_shadowing_variable() failableLibravatar René Kijewski1-3/+3
2022-01-31Allow comments in `{% match %}` and remove panic!Libravatar René Kijewski3-0/+53
2022-01-28Parse tuple expressionsLibravatar René Kijewski1-0/+82
Askama understands how to destructure tuples in let and match statements, but it does not understand how to build a tuple. This PR fixes this shortcoming.
2022-01-28 Implement error propagation expression: `?` (#590)Libravatar René Kijewski1-0/+69
This change allows using the operator `?` in askama expressions. It works like the same operator in Rust: if a `Result` is `Ok`, it is unwrapped. If it is an error, then the `render()` method fails with this error value.
2022-01-27Unify handling of calls (#614)Libravatar René Kijewski1-0/+82
Instead of having `Expr::VarCall`, `Expr::PathCall` and `Expr::MethodCall`, this PR unifies the handling of calls by removing the former three variants, and introducing `Expr::Call`.
2022-01-13Add unit tests if there is one `#[template(…)]`Libravatar René Kijewski4-0/+36
2021-12-15Use a separate trait for object safety (#579)Libravatar Dirkjan Ochtman2-11/+8
This is relatively major change to the main trait's API. For context, I always started from the concept of monomorphized traits, but later several contributors asked about object safety. At that point I made `Template` object-safe, and then even later added a `SizedTemplate` to make some things easier for people who don't need object safety. However, having object-safety in the primary trait is bad for performance (a substantial number of calls into the virtual `Write` trait is relatively slow), and I don't think those who don't need object safety should pay for the cost of having it. Additionally, I feel using associated consts for the extension and size hint is more idiomatic than having accessor methods. I don't know why I didn't use these from the start -- maybe associated consts didn't exist yet, or I didn't yet know how/when to use them. Askama is pretty old at this point...
2021-12-01Fix tests for new error messages in Rust nightlyLibravatar René Kijewski16-5/+41
2021-11-29Allow whitespace trimming in {{raw}} blocksLibravatar René Kijewski2-0/+12
2021-11-19Added optional escaper testsLibravatar vallentin1-0/+48
2021-11-11Implement `for … in … if …`Libravatar René Kijewski1-0/+18
2021-11-11Add exhaustive whitespace tests for for-elseLibravatar René Kijewski2-0/+1147
2021-11-11Implement for-elseLibravatar René Kijewski1-0/+19
This PR implements for-else statements like in Jinja. They make it easy to print an alternative message if the loop iterator was empty. E.g. ```rs {% for result in result %} <li>{{ result }}</li> {% else %} <li><em>no results</em></li> {% endfor %} ```
2021-11-11Implement {{loop.cycle(…)}} similar to JinjaLibravatar René Kijewski3-0/+65
2021-10-13Make test name consistent with test template nameLibravatar Kelly Thomas Kline1-1/+1
2021-10-13Initial test workLibravatar Kelly Thomas Kline1-0/+16
2021-08-30Ensure that {%break%} is only used inside of a loopLibravatar René Kijewski2-0/+19
2021-08-30Add {% break %} and {% continue %}Libravatar René Kijewski2-0/+79
This PR adds `{% break %}` and `{% continue %}` statements to break out of a loop, or continue with the next element of the iterator.
2021-08-25Add test case for matching on Option<bool>Libravatar Restioson2-0/+26
2021-08-21Bump version numbers in anticipation of beta releaseLibravatar Dirkjan Ochtman1-1/+1
2021-07-30Issue #379 was fixedLibravatar René Kijewski3-0/+38
This PR adds the tests by @msrd0 <git@msrd0.de> that failed before. The error was fixed somewhen between f23162a and now, so these tests serve to prevent regressions in the future. I simplified the tests very slightly to omit whitespaces in the output.
2021-07-30Better error messages using cutsLibravatar René Kijewski2-0/+19
2021-07-30Use "target()" to parse "when" blockLibravatar René Kijewski5-0/+78
`target()` as used in parsing "let" and "if let" implements parsing nested tuples and structs. But it does not implement parsing literals. The functions `match_variant()` and `with_parameters()` as used in parsing "when" blocks do not implement parsing nested structs, but it implements parsing literals. This PR combines `match_variant()` and `with_parameters()` into `target()`, so that all `{%when%}` support nested structs, too.
2021-07-30Allow omitting "with" keyword in match blocksLibravatar René Kijewski1-0/+17
Askama uses the syntax `{% when Variant with (parameters) %}` in `{% match %}` blocks. This is done because Askama does not implement the whole pattern matching of Rust's `match` statements. This PR wants to bring Askama a step closer Rust's matching, so the "with" keyword should not be needed anymore.
2021-07-30Allow using "with" keyword in "let" statementsLibravatar René Kijewski1-0/+14
Askama uses the syntax `{% when Variant with (parameters) %}` in `{% match %}` blocks. This change allows the optional use of the keyword "with" in "let" and "if let" statements, too.
2021-07-05Implement destructoring of structsLibravatar René Kijewski1-0/+107
This PR implements the destructoring of structs on the lhs of "let" and "for" statements.
2021-07-05Add "destructoring tuple in loop" testLibravatar René Kijewski1-0/+69
2021-07-05Add tuple destructoring testsLibravatar René Kijewski2-0/+17
2021-07-05Add loop variable shadowing testLibravatar René Kijewski1-0/+21
2021-07-02Replace rust_macro test to work on nightlyLibravatar René Kijewski2-14/+18
The current rust_test uses `stringify!()`. The documentation gives us the warning: > Note that the expanded results of the input tokens may change in the > future. You should be careful if you rely on the output. In the current nightly rust the result was indeed changed, so the test not fails. This PR replaces the test with another macro, that does not depend on `stringify!()`. Closes issue #504.
2021-07-02Fix expected error message for missing fileLibravatar René Kijewski6-0/+16
rust-lang/rust#82069 made error message that stem macro invocations more verbose. Since Rust 1.54 (currently in beta) the message includes the name of the offending macro. This PR uses version_check to select the appropriate expected error message.
2021-07-01Add "if let" testsLibravatar René Kijewski5-0/+119
2021-06-23Added loop testsLibravatar vallentin1-0/+83
2021-06-22Fix code generation for macro calls that store args in variables.Libravatar Ryan Kelly2-0/+19
2021-05-17Remove forward-slash escape (#486)Libravatar Alex Wennerberg2-6/+3
This was based off of the OWASP XSS prevention cheat sheet -- https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary However, there isn't really any attack vector based on forward slash alone, and it's being removed in the next version of that document. > There is no proof that escaping forward slash will improve > defense against XSS, if all other special characters are escaped > properly, but it forces developers to use non-standard implementation of > the HTML escaping, what increases the risk of the mistake and makes the > implementation harder. https://github.com/OWASP/CheatSheetSeries/pull/516
2021-03-30Rename test types to PascalCaseLibravatar Dirkjan Ochtman2-10/+10
2021-03-10Added path and ext testsLibravatar vallentin4-0/+70
2021-02-22Added option testLibravatar vallentin1-0/+16
2021-02-22Added range test caseLibravatar vallentin1-6/+22
2021-01-13Added constants testLibravatar vallentin1-0/+30
2021-01-05Added copy literals related test caseLibravatar vallentin1-0/+12
2021-01-05Removed implicit borrowing of literals, calls, and more (fixes #404)Libravatar vallentin1-4/+4
2020-12-25Added let shadow testLibravatar vallentin2-0/+43
2020-12-16Added more loop testsLibravatar vallentin1-0/+36
2020-12-12Fixed whitespace issue when generating match (#399)Libravatar Christian Vallentin4-30/+155
* Fixed #397 * Updated parser to ignore whitespace between match and when * Updated test cases * Updated Python script to generate match ws tests * Added match ws tests * Resolved rustfmt lint
2020-12-03Fixed whitespace issue when generating if statement (#394)Libravatar Christian Vallentin2-0/+275
* Fixed #377