Projet

Général

Profil

0001-misc-don-t-escape-html-if-_sanitizeHTML-is-absent-10.patch

Frédéric Péters, 04 mars 2016 11:35

Télécharger (1,72 ko)

Voir les différences: 

Subject: [PATCH] misc: don't escape html if _sanitizeHTML is absent (#10194)


 tests/test_widgets.py | 4 ++--
 wcs/qommon/form.py    | 2 --
 2 files changed, 2 insertions(+), 4 deletions(-)
tests/test_widgets.py
332 332 
        assert not widget.has_error()
333 333 
        assert widget.parse() == '<a href="">a</a>' # javascript: got filtered
334 334 

  		




  335
  
  
    
    # check we get escaped HTML if feedparser _sanitizeHTML is missing

  		




  
  335
  
    
    # check we don't escape HTML if feedparser _sanitizeHTML is missing

  		




  336
  336
  
    
    wcs.qommon.form._sanitizeHTML = None

  		




  337
  337
  
    
    widget = WysiwygTextWidget('test')

  		




  338
  338
  
    
    mock_form_submission(req, widget, {'test': '<p>bla bla bla</p>'})

  		




  339
  339
  
    
    assert not widget.has_error()

  		




  340
  
  
    
    assert widget.parse() == '&lt;p&gt;bla bla bla&lt;/p&gt;'

  		




  
  340
  
    
    assert widget.parse() == '<p>bla bla bla</p>'

  		




  341
  341
  
    
    wcs.qommon.form._sanitizeHTML = sanitize_html

  		












  

    
      wcs/qommon/form.py
    
  





  1286
  1286
  
    
        if self.value:

  		




  1287
  1287
  
    
            if _sanitizeHTML:

  		




  1288
  1288
  
    
                self.value = _sanitizeHTML(self.value, get_request().charset, 'text/html')

  		




  1289
  
  
    
            else:

  		




  1290
  
  
    
                self.value = str(htmlescape(self.value))

  		




  1291
  1289
  
    
            if self.value.startswith('<br />'):

  		




  1292
  1290
  
    
                self.value = self.value[6:]

  		




  1293
  1291
  
    
            if self.value.endswith('<br />'):

  		




  1294
  
  
    
-