Mercurial > hg

view tests/test-minirst.py @ 30766:d7bf7d2bd5ab

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
hgweb: support Content Security Policy Content-Security-Policy (CSP) is a web security feature that allows servers to declare what loaded content is allowed to do. For example, a policy can prevent loading of images, JavaScript, CSS, etc unless the source of that content is whitelisted (by hostname, URI scheme, hashes of content, etc). It's a nifty security feature that provides extra mitigation against some attacks, notably XSS. Mitigation against these attacks is important for Mercurial because hgweb renders repository data, which is commonly untrusted. While we make attempts to escape things, etc, there's the possibility that malicious data could be injected into the site content. If this happens today, the full power of the web browser is available to that malicious content. A restrictive CSP policy (defined by the server operator and sent in an HTTP header which is outside the control of malicious content), could restrict browser capabilities and mitigate security problems posed by malicious data. CSP works by emitting an HTTP header declaring the policy that browsers should apply. Ideally, this header would be emitted by a layer above Mercurial (likely the HTTP server doing the WSGI "proxying"). This works for some CSP policies, but not all. For example, policies to allow inline JavaScript may require setting a "nonce" attribute on <script>. This attribute value must be unique and non-guessable. And, the value must be present in the HTTP header and the HTML body. This means that coordinating the value between Mercurial and another HTTP server could be difficult: it is much easier to generate and emit the nonce in a central location. This commit introduces support for emitting a Content-Security-Policy header from hgweb. A config option defines the header value. If present, the header is emitted. A special "%nonce%" syntax in the value triggers generation of a nonce and inclusion in <script> elements in templates. The inclusion of a nonce does not occur unless "%nonce%" is present. This makes this commit completely backwards compatible and the feature opt-in. The nonce is a type 4 UUID, which is the flavor that is randomly generated. It has 122 random bits, which should be plenty to satisfy the guarantees of a nonce.
author Gregory Szorc <gregory.szorc@gmail.com>
date Tue, 10 Jan 2017 23:37:08 -0800
parents 8717d4609ab3
children 6582b3716ae0
line wrap: on
line source

from __future__ import absolute_import, print_function
import pprint
from mercurial import (
    minirst,
)

def debugformat(text, form, **kwargs):
    if form == 'html':
        print("html format:")
        out = minirst.format(text, style=form, **kwargs)
    else:
        print("%d column format:" % form)
        out = minirst.format(text, width=form, **kwargs)

    print("-" * 70)
    if type(out) == tuple:
        print(out[0][:-1])
        print("-" * 70)
        pprint.pprint(out[1])
    else:
        print(out[:-1])
    print("-" * 70)
    print()

def debugformats(title, text, **kwargs):
    print("== %s ==" % title)
    debugformat(text, 60, **kwargs)
    debugformat(text, 30, **kwargs)
    debugformat(text, 'html', **kwargs)

paragraphs = """
This is some text in the first paragraph.

  A small indented paragraph.
  It is followed by some lines
  containing random whitespace.
 \n  \n   \nThe third and final paragraph.
"""

debugformats('paragraphs', paragraphs)

definitions = """
A Term
  Definition. The indented
  lines make up the definition.
Another Term
  Another definition. The final line in the
   definition determines the indentation, so
    this will be indented with four spaces.

  A Nested/Indented Term
    Definition.
"""

debugformats('definitions', definitions)

literals = r"""
The fully minimized form is the most
convenient form::

  Hello
    literal
      world

In the partially minimized form a paragraph
simply ends with space-double-colon. ::

  ////////////////////////////////////////
  long un-wrapped line in a literal block
  \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

::

  This literal block is started with '::',
    the so-called expanded form. The paragraph
      with '::' disappears in the final output.
"""

debugformats('literals', literals)

lists = """
- This is the first list item.

  Second paragraph in the first list item.

- List items need not be separated
  by a blank line.
- And will be rendered without
  one in any case.

We can have indented lists:

  - This is an indented list item

  - Another indented list item::

      - A literal block in the middle
            of an indented list.

      (The above is not a list item since we are in the literal block.)

::

  Literal block with no indentation (apart from
  the two spaces added to all literal blocks).

1. This is an enumerated list (first item).
2. Continuing with the second item.

(1) foo
(2) bar

1) Another
2) List

Line blocks are also a form of list:

| This is the first line.
  The line continues here.
| This is the second line.
"""

debugformats('lists', lists)

options = """
There is support for simple option lists,
but only with long options:

-X, --exclude  filter  an option with a short and long option with an argument
-I, --include          an option with both a short option and a long option
--all                  Output all.
--both                 Output both (this description is
                       quite long).
--long                 Output all day long.

--par                 This option has two paragraphs in its description.
                      This is the first.

                      This is the second.  Blank lines may be omitted between
                      options (as above) or left in (as here).


The next paragraph looks like an option list, but lacks the two-space
marker after the option. It is treated as a normal paragraph:

--foo bar baz
"""

debugformats('options', options)

fields = """
:a: First item.
:ab: Second item. Indentation and wrapping
     is handled automatically.

Next list:

:small: The larger key below triggers full indentation here.
:much too large: This key is big enough to get its own line.
"""

debugformats('fields', fields)

containers = """
Normal output.

.. container:: debug

   Initial debug output.

.. container:: verbose

   Verbose output.

   .. container:: debug

      Debug output.
"""

debugformats('containers (normal)', containers)
debugformats('containers (verbose)', containers, keep=['verbose'])
debugformats('containers (debug)', containers, keep=['debug'])
debugformats('containers (verbose debug)', containers,
            keep=['verbose', 'debug'])

roles = """Please see :hg:`add`."""
debugformats('roles', roles)


sections = """
Title
=====

Section
-------

Subsection
''''''''''

Markup: ``foo`` and :hg:`help`
------------------------------
"""
debugformats('sections', sections)


admonitions = """
.. note::

   This is a note

   - Bullet 1
   - Bullet 2

   .. warning:: This is a warning Second
      input line of warning

.. danger::
   This is danger
"""

debugformats('admonitions', admonitions)

comments = """
Some text.

.. A comment

   .. An indented comment

   Some indented text.

..

Empty comment above
"""

debugformats('comments', comments)


data = [['a', 'b', 'c'],
         ['1', '2', '3'],
         ['foo', 'bar', 'baz this list is very very very long man']]

rst = minirst.maketable(data, 2, True)
table = ''.join(rst)

print(table)

debugformats('table', table)

data = [['s', 'long', 'line\ngoes on here'],
        ['', 'xy', 'tried to fix here\n        by indenting']]

rst = minirst.maketable(data, 1, False)
table = ''.join(rst)

print(table)

debugformats('table+nl', table)