Skip to content

Commit

Permalink
Escape data in datatables view
Browse files Browse the repository at this point in the history
  • Loading branch information
amercader committed Aug 19, 2024
1 parent f6b032c commit d7dfe8c
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 2 deletions.
5 changes: 3 additions & 2 deletions ckanext/datatablesview/blueprint.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

from typing import Any
from urllib.parse import urlencode
from html import escape

from flask import Blueprint

Expand Down Expand Up @@ -124,8 +125,8 @@ def ajax(resource_view_id: str):
data = []
null_label = h.datatablesview_null_label()
for row in response[u'records']:
record = {colname: str(null_label if row.get(colname, u'')
is None else row.get(colname, u''))
record = {colname: escape(str(null_label if row.get(colname, u'')
is None else row.get(colname, u'')))
for colname in cols}
# the DT_RowId is used in DT to set an element id for each record
record['DT_RowId'] = 'row' + str(row.get(u'_id', u''))
Expand Down
52 changes: 52 additions & 0 deletions ckanext/datatablesview/tests/test_ajax.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# encoding: utf-8

import json
import pytest

from ckan.tests import factories, helpers
from ckan.lib.helpers import url_for


@pytest.mark.ckan_config("ckan.plugins", "datastore datatables_view")
@pytest.mark.usefixtures("with_plugins")
def test_ajax_data(app, user):
dataset = factories.Dataset()
ds = helpers.call_action(
'datastore_create',
resource={'package_id': dataset['id']},
fields=[{'id': 'a', 'type': 'text'}, {'id': 'b', 'type': 'int'}],
records=[
{'a': 'one', 'b': 1},
{'a': 'two', 'b': 2},
{'a': 'a < b && a > 0', 'b': None}
],
)
view = factories.ResourceView(
view_type='datatables_view',
resource_id=ds['resource_id']
)
resp = app.post(
url=url_for('datatablesview.ajax', resource_view_id=view["id"]),
data={
'draw': 1,
'search[value]': '',
'start': 0,
'length': 50,
},
)
ajax = json.loads(b''.join(resp.response).decode('utf-8'))
assert ajax == {
'draw': 1,
'recordsFiltered': 3,
'recordsTotal': 3,
'data': [
{'_id': '1', 'a': 'one', 'b': '1', 'DT_RowId': 'row1'},
{'_id': '2', 'a': 'two', 'b': '2', 'DT_RowId': 'row2'},
{
'_id': '3',
'a': 'a &lt; b &amp;&amp; a &gt; 0',
'b': '',
'DT_RowId': 'row3',
},
]
}

0 comments on commit d7dfe8c

Please sign in to comment.