Merge pull request #12 from PetrDlouhy/fix_django51

Fix django51
PetrDlouhy · Jul 29, 2024 · a71798e · a71798e
2 parents 6d91527 + eee57a0
commit a71798e
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 30 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -22,9 +22,16 @@ jobs:
 
     strategy:
       matrix:
-        DJANGO_VERSION: [ '2.2.*', '3.0.*', '3.1.*', '3.2.*', '4.0.*', '4.1.*', '4.2.*', '5.0.*']
+        DJANGO_VERSION: ['3.0.*', '3.1.*', '3.2.*', '4.0.*', '4.1.*', '4.2.*', '5.0.*', '5.1.*']
         python-version: ['3.7', '3.8', '3.9', '3.10', '3.11', '3.12']
         exclude:
+          - DJANGO_VERSION: '5.1.*'
+            python-version: '3.9'
+          - DJANGO_VERSION: '5.1.*'
+            python-version: '3.8'
+          - DJANGO_VERSION: '5.1.*'
+            python-version: '3.7'
+
           - DJANGO_VERSION: '5.0.*'
             python-version: '3.9'
           - DJANGO_VERSION: '5.0.*'
@@ -66,13 +73,6 @@ jobs:
           - DJANGO_VERSION: '3.0.*'
             python-version: '3.10'
 
-          - DJANGO_VERSION: '2.2.*'
-            python-version: '3.12'
-          - DJANGO_VERSION: '2.2.*'
-            python-version: '3.11'
-          - DJANGO_VERSION: '2.2.*'
-            python-version: '3.10'
-
       fail-fast: false
 
     services:
@@ -108,7 +108,7 @@ jobs:
            pip install -r requirements.txt
            pip install requests-mock mock pytest coveralls
            pip install psycopg2==2.8.6
-           pip install Django==${{ matrix.DJANGO_VERSION }}
+           pip install Django==${{ matrix.DJANGO_VERSION }} --pre
            pip install codecov
 
       - name: Testing

diff --git a/payments_payu/provider.py b/payments_payu/provider.py
@@ -114,7 +114,9 @@ def __init__(self, payu_base_url, script_params={}, *args, **kwargs):
             </script>
             <div id="payu-widget"></div>
             """,
-            params=format_html_join(" ", "{}='{}'", ((k, v) for k, v in script_params.items())),
+            params=format_html_join(
+                " ", "{}='{}'", ((k, v) for k, v in script_params.items())
+            ),
             process_url=urljoin(
                 get_base_url(),
                 self.payment.get_process_url(),

diff --git a/tests/test_payu.py b/tests/test_payu.py
@@ -3,6 +3,7 @@
 import contextlib
 import json
 import warnings
+from django.template import Context, Template
 from copy import deepcopy
 from decimal import Decimal
 from unittest import TestCase
@@ -618,6 +619,7 @@ def test_showing_cvv_form(self):
             True, True, get_refund_description=lambda payment, amount: "test"
         )
         self.payment.extra_data = json.dumps({"cvv_url": "foo_url"})
+        self.provider.payu_shop_name = "<script> alert('foo')</script>"  # XSS test
         with patch("requests.post") as mocked_post:
             post = MagicMock()
             post.text = json.dumps(
@@ -631,16 +633,14 @@ def test_showing_cvv_form(self):
             mocked_post.return_value = post
             form = self.provider.get_form(payment=self.payment)
             self.assertEqual(form.__class__.__name__, "WidgetPaymentForm")
-            self.assertTrue(
-                "payu-widget" in form.fields["script"].widget.render("a", "b")
-            )
-            self.assertTrue(
-                "https://example.com/process_url/token"
-                in form.fields["script"].widget.render("a", "b")
-            )
-            self.assertTrue(
-                "cvv-url=foo_url" in form.fields["script"].widget.render("a", "b")
-            )
+
+            template = Template("{{form.as_p}}")
+            rendered_html = template.render(Context({"form": form}))
+            self.assertIn("payu-widget", rendered_html)
+            self.assertIn("https://example.com/process_url/token", rendered_html)
+            self.assertIn("cvv-url='foo_url'", rendered_html)
+            self.assertIn("shop-name='&lt;script&gt; alert(&#x27;foo&#x27;)&lt;/script&gt;'", rendered_html)
+            self.assertIn("</script>", rendered_html)  # Test, that escaping works correctly
 
     def test_redirect_3ds_form(self):
         """Test redirection to 3DS page if requested by PayU"""

diff --git a/tox.ini b/tox.ini
@@ -1,19 +1,15 @@
 [tox]
 envlist =
-    {py36,py37,py38,py39}-django-32
-    {py36,py37,py38,py39}-django-31
-    {py36,py37,py38,py39}-django-30
-    {py36,py37,py38,py39}-django-22
-    {py36,py37,py38,py39}-django-21
+    py{38,39,310,311,312}-django42
+    py{310,311,312}-django50
+    py{310,311,312}-django51
 
 [testenv]
 setenv =
     PYTHONPATH = {toxinidir}:{toxinidir}/payments_payu
 commands = coverage run --source payments_payu runtests.py
 deps =
-    django-21: Django>=2.1,<2.2
-    django-22: Django>=2.2,<3.0
-    django-30: Django>=3.0,<3.1
-    django-31: Django>=3.1,<3.2
-    django-32: Django>=3.2,<4.0
+    django42: Django<4.3
+    django50: Django<5.1
+    django51: Django>=5.1a1,<5.2
     -r{toxinidir}/requirements_test.txt