From 1ce59cb82f49e729d6cad5c57eff726482deea48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= Date: Mon, 23 Jul 2018 15:21:40 +0200 Subject: [PATCH] misc: mark form digest as safe as it's considered as text (#25428) --- tests/test_backoffice_pages.py | 4 ++-- wcs/formdata.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/test_backoffice_pages.py b/tests/test_backoffice_pages.py index 0116c6cc..80cd129d 100644 --- a/tests/test_backoffice_pages.py +++ b/tests/test_backoffice_pages.py @@ -2564,12 +2564,12 @@ def test_global_listing(pub): # check digest is included formdata = formdef.data_class().select(lambda x: not x.is_draft())[0] - formdata.formdef.digest_template = 'digest of number {{form_number}}' + formdata.formdef.digest_template = 'digest of number <{{form_number}}>' formdata.store() assert formdata.get(formdata.id).digest resp = app.get('/backoffice/management/listing') assert formdata.get_url(backoffice=True) in resp.body - assert formdata.digest in resp.body + assert 'digest of number <%s>' % formdata.id_display in resp.body # check a Channel column is added when welco is available assert not 'Channel' in resp.body diff --git a/wcs/formdata.py b/wcs/formdata.py index 8da7d310..3f031484 100644 --- a/wcs/formdata.py +++ b/wcs/formdata.py @@ -394,7 +394,7 @@ class FormData(StorableObject): if template is None: new_value = None else: - new_value = Template(template).render(context) + new_value = Template(template, autoescape=False).render(context) if new_value != getattr(self, attribute, None): setattr(self, attribute, new_value) changed = True -- 2.18.0