From adf0cda7932b07b931e26fe78808a4918f345aea Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Thu, 28 Nov 2019 10:24:09 +0100
Subject: [PATCH] api: avoid ending up with unescaped & in html (#38033)

---
 passerelle/utils/api.py        |  2 +-
 tests/test_generic_endpoint.py | 11 ++++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/passerelle/utils/api.py b/passerelle/utils/api.py
index a6061e52..5658ef6f 100644
--- a/passerelle/utils/api.py
+++ b/passerelle/utils/api.py
@@ -110,7 +110,7 @@ class endpoint(object):
         query_string = ''
         query_parameters = self.get_query_parameters()
         if query_parameters:
-            query_string = '?' + '&'.join(['%s=<i class="varname">%s</i>' % (x[0], x[0]) for x in query_parameters])
+            query_string = '?' + '&amp;'.join(['%s=<i class="varname">%s</i>' % (x[0], x[0]) for x in query_parameters])
 
         return mark_safe(url + query_string)
 
diff --git a/tests/test_generic_endpoint.py b/tests/test_generic_endpoint.py
index c841b3a1..7436359f 100644
--- a/tests/test_generic_endpoint.py
+++ b/tests/test_generic_endpoint.py
@@ -184,6 +184,14 @@ class FakeConnectorBase(object):
     def foo7(self, request, param1='a', param2='b', param3='c'):
         pass
 
+    @endpoint(parameters={
+        'test': {'description': 'test', 'example_value': 'test'},
+        'reg': {'description': 'test', 'example_value': 'test'},
+    })
+    def foo8(self, request, test, reg):
+        pass
+
+
     @endpoint(cache_duration=10)
     def cached_endpoint(self, request):
         pass
@@ -191,7 +199,7 @@ class FakeConnectorBase(object):
 
 def test_endpoint_decorator():
     connector = FakeConnectorBase()
-    for i in range(6):
+    for i in range(8):
         getattr(connector, 'foo%d' % (i + 1)).endpoint_info.object = connector
 
     assert connector.foo1.endpoint_info.name == 'foo1'
@@ -221,6 +229,7 @@ def test_endpoint_decorator():
     assert connector.foo5.endpoint_info.example_url_as_html() == '/fake/connector/foo5/test/'
     assert connector.foo6.endpoint_info.example_url() == '/fake/connector/foo6/bar/'
     assert connector.foo6.endpoint_info.example_url_as_html() == '/fake/connector/foo6/<i class="varname">param1</i>/'
+    assert not '&reg' in connector.foo8.endpoint_info.example_url_as_html()
 
     connector.foo6.endpoint_info.pattern = None
     connector.foo6.endpoint_info.example_pattern = None
-- 
2.20.1