[FIX] test_mail: Rewrite the XSS test

bzr revid: stw@openerp.com-20131107141019-jjhvism55j8x207g

openerp/tests/test_mail.py

@@ -22,11 +22,11 @@
 #
 ##############################################################################
 
+from lxml import etree
 import unittest2
 from . import test_mail_examples
 from openerp.tools import html_sanitize, html_email_clean, append_content_to_html, plaintext2html
 
-
 class TestSanitizer(unittest2.TestCase):
     """ Test the html sanitizer that filters html to remove unwanted attributes """
 
@@ -76,15 +76,19 @@ class TestSanitizer(unittest2.TestCase):
             ("<META HTTP-EQUIV=\"Link\" Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\">"),  # remote style sheet 3
             ("<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>"),  # remote style sheet 4
             ("<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">"),  # style attribute using a comment to break up expression
-            ("""<!--[if gte IE 4]>
-                <SCRIPT>alert('XSS');</SCRIPT>
-                <![endif]-->"""),  # down-level hidden block
         ]
         for content in cases:
             html = html_sanitize(content)
             self.assertNotIn('javascript', html, 'html_sanitize did not remove a malicious javascript')
             self.assertTrue('ha.ckers.org' not in html or 'http://ha.ckers.org/xss.css' in html, 'html_sanitize did not remove a malicious code in %s (%s)' % (content, html))
 
+        # Raise an exception if the node is an empty string without any root tag
+        with self.assertRaises(etree.ParserError):
+            content = "<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->"  # down-level hidden block
+            html = html_sanitize(content, silent=False)
+
+
+
     def test_html(self):
         sanitized_html = html_sanitize(test_mail_examples.MISC_HTML_SOURCE)
         for tag in ['<div', '<b', '<i', '<u', '<strike', '<li', '<blockquote', '<a href']: