Projet

Général

Profil

0001-wcs-display-richtext-field-as-safe-69271.patch

Lauréline Guérin, 20 septembre 2022 10:32

Télécharger (7,6 ko)

Voir les différences: 

Subject: [PATCH] wcs: display richtext field as safe (#69271)


 .../templates/combo/wcs/card-field-value.html | 10 ++++--
 combo/apps/wcs/templatetags/wcs.py            |  2 +-
 combo/manager/static/js/combo.manager.js      |  3 ++
 tests/wcs/test_card.py                        | 35 +++++++++++++++++--
 tests/wcs/utils.py                            |  4 ++-
 5 files changed, 47 insertions(+), 7 deletions(-)
combo/apps/wcs/templates/combo/wcs/card-field-value.html
1 1 
{% load combo %}{% spaceless %}
2 
{% if field.type == "text" and mode != 'inline' and value %}
3 
<div class="value">{{ field|format_text:value }}</div>
2 
{% if field.type == "text" and field.display_mode == 'rich' and value %}
3 
  {% if cell.display_mode == 'table' or cell.display_mode == 'card' and item.display_mode == 'text' %}
4 
    <div class="value">{{ value|safe }}</div>
5 
  {% else %}
6 
    {{ value|striptags }}
7 
  {% endif %}
8 
{% elif field.type == "text" and mode != 'inline' and value %}
9 
  <div class="value">{{ field|format_text:value }}</div>
4 10 
{% else %}
5 11 
{% if not mode == 'inline' %}<div class="value">{% endif %}
6 12 
{% if field.type == "date" %}
combo/apps/wcs/templatetags/wcs.py
31 31 

  		




  32
  32
  
    
@register.filter

  		




  33
  33
  
    
def format_text(field, value):

  		




  34
  
  
    
    if field.get('pre'):

  		




  
  34
  
    
    if field.get('display_mode') == 'pre':

  		




  35
  35
  
    
        return mark_safe('<pre>%s</pre>' % escape(value))

  		




  36
  36
  
    
    return mark_safe('<p>' + '\n'.join([(escape(x) or '</p><p>') for x in value.splitlines()]) + '</p>')

  		




  37
  37
  
    

  		












  

    
      combo/manager/static/js/combo.manager.js
    
  





  876
  876
  
    
        schema_cell.varname = form_datas.field_varname;

  		




  877
  877
  
    
        schema_cell.field_content = form_datas.field_content;

  		




  878
  878
  
    
        schema_cell.display_mode = form_datas.field_display_mode;

  		




  
  879
  
    
        if (form_datas.field_content == 'label-and-value') {

  		




  
  880
  
    
          schema_cell.display_mode = 'text';

  		




  
  881
  
    
        }

  		




  879
  882
  
    
        if (form_datas.field_empty_display_mode == '@custom@') {

  		




  880
  883
  
    
          schema_cell.empty_value = form_datas.field_empty_text;

  		




  881
  884
  
    
        } else {

  		












  

    
      tests/wcs/test_card.py
    
  





  855
  855
  
    
        {'varname': 'fieldf'},

  		




  856
  856
  
    
        {'varname': 'fieldg'},

  		




  857
  857
  
    
        {'varname': 'fieldh'},

  		




  
  858
  
    
        {'varname': 'fieldi'},

  		




  858
  859
  
    
        {'varname': 'unknown'},

  		




  859
  860
  
    
        {'varname': 'user:name'},

  		




  860
  861
  
    
        {'varname': 'user:email'},

  		




  ......




  867
  868
  
    

  		




  868
  869
  
    
    result = cell.render(context)

  		




  869
  870
  
    
    assert PyQuery(result).find('ul li') == []

  		




  870
  
  
    
    assert len(PyQuery(result).find('table tr td')) == 13 * 3

  		




  
  871
  
    
    assert len(PyQuery(result).find('table tr td')) == 14 * 3

  		




  871
  872
  
    
    assert [PyQuery(td).text() for td in PyQuery(result).find('table tr:first-child td')] == [

  		




  872
  873
  
    
        '<i>a</i>',

  		




  873
  874
  
    
        'yes',

  		




  ......




  878
  879
  
    
        "lorem<strong>ipsum hello world",

  		




  879
  880
  
    
        'test@localhost',

  		




  880
  881
  
    
        'https://www.example.net/',

  		




  
  882
  
    
        "loremipsum\nhello'world",

  		




  881
  883
  
    
        'User Foo Bar',

  		




  882
  884
  
    
        'foo@bar.com',

  		




  883
  885
  
    
        'User',

  		




  ......




  895
  897
  
    
        PyQuery(result).find('table tr:first-child td:nth-child(9) a').attr['href']

  		




  896
  898
  
    
        == 'https://www.example.net/'

  		




  897
  899
  
    
    )

  		




  898
  
  
    
    assert PyQuery(result).find('table tr:first-child td:nth-child(11) a').text().strip() == 'foo@bar.com'

  		




  
  900
  
    
    assert PyQuery(result).find('table tr:first-child td:nth-child(10) p:first-child').text() == 'loremipsum'

  		




  899
  901
  
    
    assert (

  		




  900
  
  
    
        PyQuery(result).find('table tr:first-child td:nth-child(11) a').attr['href'] == 'mailto:foo@bar.com'

  		




  
  902
  
    
        PyQuery(result).find('table tr:first-child td:nth-child(10) p:first-child strong').text() == 'ipsum'

  		




  
  903
  
    
    )

  		




  
  904
  
    
    assert PyQuery(result).find('table tr:first-child td:nth-child(10) p:last-child').text() == "hello'world"

  		




  
  905
  
    
    assert PyQuery(result).find('table tr:first-child td:nth-child(12) a').text().strip() == 'foo@bar.com'

  		




  
  906
  
    
    assert (

  		




  
  907
  
    
        PyQuery(result).find('table tr:first-child td:nth-child(12) a').attr['href'] == 'mailto:foo@bar.com'

  		




  901
  908
  
    
    )

  		




  902
  909
  
    

  		




  903
  910
  
    

  		




  ......




  1737
  1744
  
    
    assert PyQuery(result).find('.label').text() == 'Field F'

  		




  1738
  1745
  
    
    assert PyQuery(result).find('.value pre').text() == 'lorem<strong>ipsum hello world'

  		




  1739
  1746
  
    

  		




  
  1747
  
    
    cell.custom_schema['cells'][0] = {

  		




  
  1748
  
    
        'varname': 'fieldi',

  		




  
  1749
  
    
        'field_content': 'label-and-value',

  		




  
  1750
  
    
        'display_mode': 'text',

  		




  
  1751
  
    
    }

  		




  
  1752
  
    
    cell.save()

  		




  
  1753
  
    
    result = cell.render(context)

  		




  
  1754
  
    
    assert PyQuery(result).find('.label').text() == 'Field I'

  		




  
  1755
  
    
    assert PyQuery(result).find('.value p:first-child').text() == 'loremipsum'

  		




  
  1756
  
    
    assert PyQuery(result).find('.value p:first-child strong').text() == 'ipsum'

  		




  
  1757
  
    
    assert PyQuery(result).find('.value p:last-child').text() == "hello'world"

  		




  
  1758
  
    

  		




  
  1759
  
    
    cell.custom_schema['cells'][0] = {

  		




  
  1760
  
    
        'varname': 'fieldi',

  		




  
  1761
  
    
        'field_content': 'value',

  		




  
  1762
  
    
        'display_mode': 'title',

  		




  
  1763
  
    
    }

  		




  
  1764
  
    
    cell.save()

  		




  
  1765
  
    
    result = cell.render(context)

  		




  
  1766
  
    
    assert PyQuery(result).find('h3').text() == "loremipsumhello'world"

  		




  
  1767
  
    
    assert PyQuery(result).find('h3 p') == []  # content was stripped

  		




  
  1768
  
    

  		




  1740
  1769
  
    
    cell.custom_schema['cells'][0] = {

  		




  1741
  1770
  
    
        'varname': 'fieldg',

  		




  1742
  1771
  
    
        'field_content': 'label-and-value',

  		












  

    
      tests/wcs/utils.py
    
  





  106
  106
  
    
                'fieldf': 'lorem<strong>ipsum\n\nhello world',

  		




  107
  107
  
    
                'fieldg': 'test@localhost',

  		




  108
  108
  
    
                'fieldh': 'https://www.example.net/',

  		




  
  109
  
    
                'fieldi': "<p>lorem<strong>ipsum</p><p>hello'world</p>",

  		




  109
  110
  
    
                'related': 'Foo Bar',

  		




  110
  111
  
    
                'related_raw': 42,

  		




  111
  112
  
    
                'related_structured': {'id': 42, 'text': 'blah'},

  		




  ......




  227
  228
  
    
            {'label': 'Field C', 'varname': 'fieldc', 'type': 'date'},

  		




  228
  229
  
    
            {'label': 'Field D', 'varname': 'fieldd', 'type': 'file'},

  		




  229
  230
  
    
            {'label': 'Field E', 'varname': 'fielde', 'type': 'text'},

  		




  230
  
  
    
            {'label': 'Field F', 'varname': 'fieldf', 'type': 'text', 'pre': True},

  		




  
  231
  
    
            {'label': 'Field F', 'varname': 'fieldf', 'type': 'text', 'display_mode': 'pre'},

  		




  231
  232
  
    
            {'label': 'Field G', 'varname': 'fieldg', 'type': 'email'},

  		




  232
  233
  
    
            {'label': 'Field H', 'varname': 'fieldh', 'type': 'string'},

  		




  
  234
  
    
            {'label': 'Field I', 'varname': 'fieldi', 'type': 'text', 'display_mode': 'rich'},

  		




  233
  235
  
    
            {'label': 'Empty', 'varname': 'empty', 'type': 'string'},

  		




  234
  236
  
    
            {'label': 'Related', 'varname': 'related', 'type': 'item'},

  		




  235
  237
  
    
            {'label': 'Page', 'type': 'page'},

  		




  236
  
  
    
-