From 4f2f51cd7f8cc5242add67ced58ae41506dc8047 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= Date: Wed, 14 Nov 2018 16:33:54 +0100 Subject: [PATCH] misc: unquote HTML entities inside Django template tags (#27995) --- tests/test_widgets.py | 8 ++++++++ wcs/qommon/form.py | 7 +++++++ 2 files changed, 15 insertions(+) diff --git a/tests/test_widgets.py b/tests/test_widgets.py index 1a29a5c6f..eb39459d0 100644 --- a/tests/test_widgets.py +++ b/tests/test_widgets.py @@ -1,3 +1,5 @@ +# -*- coding: utf-8 -*- + import datetime import sys import shutil @@ -384,6 +386,12 @@ def test_wysiwygwidget(): assert not widget.has_error() assert widget.parse() == 'a' # javascript: got filtered + # check django templatetags are kept intact + widget = WysiwygTextWidget('test') + mock_form_submission(req, widget, {'test': '{% if 2 > 1 %}plop{% endif %}'}) + assert not widget.has_error() + assert widget.parse() == '{% if 2 > 1 %}plop{% endif %}' + # check we don't escape HTML if feedparser _sanitizeHTML is missing wcs.qommon.form._sanitizeHTML = None widget = WysiwygTextWidget('test') diff --git a/wcs/qommon/form.py b/wcs/qommon/form.py index 81527515a..b67bd7c53 100644 --- a/wcs/qommon/form.py +++ b/wcs/qommon/form.py @@ -19,6 +19,7 @@ import collections import copy import cStringIO import fnmatch +from HTMLParser import HTMLParser import mimetypes import os import re @@ -1385,6 +1386,12 @@ class WysiwygTextWidget(TextWidget): self.value = self.value[6:] if self.value.endswith('
'): self.value = self.value[:-6] + # unescape Django template tags + parser = HTMLParser() + charset = get_publisher().site_charset + def unquote_django(matchobj): + return parser.unescape(unicode(matchobj.group(0), charset)).encode(charset) + self.value = re.sub('{%(.*?)%}', unquote_django, self.value) def add_media(self): get_response().add_javascript(['qommon.wysiwyg.js']) -- 2.19.1