Skip to content

Commit

Permalink
Merge pull request #718 from maykinmedia/fix/1624-html-escape
Browse files Browse the repository at this point in the history
[#1624] Escape html of product content field
  • Loading branch information
alextreme authored Sep 7, 2023
2 parents c00056f + 81939e9 commit b6482c9
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 1 deletion.
2 changes: 2 additions & 0 deletions src/open_inwoner/pdc/models/product.py
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
import html
import json
from typing import Union
from uuid import uuid4

from django.contrib.postgres.fields import ArrayField
from django.db import models
from django.urls import reverse
from django.utils.html import strip_tags
from django.utils.translation import ugettext_lazy as _

from filer.fields.file import FilerFileField
Expand Down
17 changes: 17 additions & 0 deletions src/open_inwoner/pdc/tests/test_product.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
from html import escape

from django.test import override_settings
from django.urls import reverse

Expand Down Expand Up @@ -277,6 +279,21 @@ def test_sidemenu_button_is_rendered_when_no_cta_inside_product_content(self):
self.assertTrue(sidemenu_cta_button)
self.assertIn(product.link, sidemenu_cta_button[0].values())

def test_content_html_escape(self):
product = ProductFactory()

product.content = "hello \\<b>world\\</b> **test**"
product.save()

response = self.app.get(
reverse("products:product_detail", kwargs={"slug": product.slug})
)

self.assertNotContains(response, "hello world")
self.assertNotContains(response, escape("<b>world"))
self.assertContains(response, "hello <b>world</b>")
self.assertContains(response, "<strong>test</strong>")


@override_settings(ROOT_URLCONF="open_inwoner.cms.tests.urls")
class TestProductDetailView(WebTest):
Expand Down
6 changes: 5 additions & 1 deletion src/open_inwoner/utils/ckeditor.py
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ def get_rendered_content(content):
Takes object's content as an input and returns the rendered one.
"""
md = markdown.Markdown(extensions=["tables"])
# remove weird undocumented \\< escape/prefix generated by CKeditor
content = content.replace("\\<", "<")
html = md.convert(content)
soup = BeautifulSoup(html, "html.parser")

Expand All @@ -43,7 +45,9 @@ def get_product_rendered_content(product):
Takes product's content as an input and returns the rendered one.
"""
md = markdown.Markdown(extensions=["tables"])
html = md.convert(product.content)
# remove weird undocumented \\< escape/prefix generated by CKeditor
content = product.content.replace("\\<", "<")
html = md.convert(content)
soup = BeautifulSoup(html, "html.parser")

for tag, class_name in CLASS_ADDERS:
Expand Down

0 comments on commit b6482c9

Please sign in to comment.