# HG changeset patch # User Aurelien Campeas # Date 1389622631 -3600 # Node ID 030745ac9873ae1571d60df4105c566679919476 # Parent 2b183c110631ea5077e73f2d84f744709184e2d8 [entities] unconditionnally sanitize the html output of printable_value Closes jpl##49466 diff -r 2b183c110631 -r 030745ac9873 entities/test/data/schema.py --- a/entities/test/data/schema.py Sat Dec 14 14:29:37 2013 +0100 +++ b/entities/test/data/schema.py Mon Jan 13 15:17:11 2014 +0100 @@ -24,6 +24,7 @@ class Company(EntityType): name = String() + description = RichString() class Division(Company): __specializes_schema__ = True diff -r 2b183c110631 -r 030745ac9873 entities/test/unittest_base.py --- a/entities/test/unittest_base.py Sat Dec 14 14:29:37 2013 +0100 +++ b/entities/test/unittest_base.py Mon Jan 13 15:17:11 2014 +0100 @@ -134,6 +134,27 @@ self.request().create_entity('CWGroup', name=u'logilab', reverse_in_group=e) +class HTMLtransformTC(BaseEntityTC): + + def test_sanitized_html(self): + r = self.request() + c = r.create_entity('Company', name=u'Babar', + description=u""" +Title +===== + +Elephant management best practices. + +.. raw:: html + + +""", description_format=u'text/rest') + self.commit() + c.cw_clear_all_caches() + self.assertIn('alert', c.printable_value('description', format='text/plain')) + self.assertNotIn('alert', c.printable_value('description', format='text/html')) + + class InterfaceTC(CubicWebTC): def test_nonregr_subclasses_and_mixins_interfaces(self): diff -r 2b183c110631 -r 030745ac9873 entity.py --- a/entity.py Sat Dec 14 14:29:37 2013 +0100 +++ b/entity.py Mon Jan 13 15:17:11 2014 +0100 @@ -775,7 +775,7 @@ _engine=ENGINE): trdata = TransformData(data, format, encoding, appobject=self) data = _engine.convert(trdata, target_format).decode() - if format == 'text/html': + if target_format == 'text/html': data = soup2xhtml(data, self._cw.encoding) return data diff -r 2b183c110631 -r 030745ac9873 test/unittest_entity.py --- a/test/unittest_entity.py Sat Dec 14 14:29:37 2013 +0100 +++ b/test/unittest_entity.py Mon Jan 13 15:17:11 2014 +0100 @@ -533,7 +533,7 @@ e = self.request().create_entity('Card', title=u'rest test', content=u'du :eid:`1:*ReST*`', content_format=u'text/rest') self.assertEqual(e.printable_value('content'), - '

du *ReST*

\n') + '

du *ReST*

') e.cw_attr_cache['content'] = 'du html users' e.cw_attr_cache['content_format'] = 'text/html' self.assertEqual(e.printable_value('content'), @@ -541,7 +541,7 @@ e.cw_attr_cache['content'] = 'du *texte*' e.cw_attr_cache['content_format'] = 'text/plain' self.assertEqual(e.printable_value('content'), - '

\ndu *texte*
\n

') + '

\ndu *texte*

') e.cw_attr_cache['title'] = 'zou' e.cw_attr_cache['content'] = '''\ a title @@ -572,24 +572,21 @@ if tuple(int(i) for i in pygments.__version__.split('.')[:2]) >= (1, 3): self.assertEqual(e.printable_value('data'), '''

lambda x: 1
-

-''') +''') else: self.assertEqual(e.printable_value('data'), '''

lambda x: 1
-

-''') +''') else: self.assertEqual(e.printable_value('data'), '''

 lambda x: 1
-

-''') +''') e = req.create_entity('File', data=Binary('*héhéhé*'), data_format=u'text/rest', data_encoding=u'utf-8', data_name=u'toto.txt') self.assertEqual(e.printable_value('data'), - u'

héhéhé

\n') + u'

héhéhé

') def test_printable_value_bad_html(self): """make sure we don't crash if we try to render invalid XHTML strings"""