entrouvert
/
combo
16
1
Fork 0
Code Issues Pull Requests 11 Releases Wiki Activity

wcs: escape custom title (#59598)

This commit is contained in:
Lauréline Guérin 2021-12-17 18:56:57 +01:00 committed by Frédéric Péters
parent 541ac61eba
commit 4db81d3fce
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
combo/apps/wcs/templates/combo/wcs/card.html
View File

@ -4,7 +4,7 @@
{% if not card_not_found %}
{% block cell-header %}
{% if title %}<h2>{{ title }}</h2>{% endif %}
{% if title %}<h2>{{ title|force_escape }}</h2>{% endif %}
{% include "combo/asset_picture_fragment.html" %}
{% endblock %}

4
tests/test_wcs.py
View File

@ -1868,10 +1868,10 @@ def test_card_cell_render(mock_send, context):
context.pop('title')
cell.title_type = 'manual'
cell.custom_title = 'Foo bar {{ card.fields.fielda }}'
cell.custom_title = '<b>Foo bar {{ card.fields.fielda }}</b>'
cell.save()
result = cell.render(context)
assert '<h2>Foo bar a</h2>' in result
assert '<h2>&lt;b&gt;Foo bar a&lt;/b&gt;</h2>' in result
context.pop('title')
cell.custom_title = '{{ foobar }}'