misc: unquote HTML entities inside Django variables (#30004)

tests/test_widgets.py

@@ -386,11 +386,17 @@ def test_wysiwygwidget():
         assert not widget.has_error()
         assert widget.parse() == '<a href="">a</a>' # javascript: got filtered
 
-    # check django templatetags are kept intact
+    # check django syntax is kept intact
     widget = WysiwygTextWidget('test')
-    mock_form_submission(req, widget, {'test': '<a href="{% if 1 > 2 %}héllo{% endif %}">{% if 2 > 1 %}plop{% endif %}</a>'})
+    mock_form_submission(req, widget, {'test': '<a href="{% if 1 > 2 %}héllo{% endif %}">{% if 2 > 1 %}{{plop|date:"Y"}}{% endif %}</a>'})
     assert not widget.has_error()
-    assert widget.parse() == '<a href="{% if 1 > 2 %}héllo{% endif %}">{% if 2 > 1 %}plop{% endif %}</a>'
+    assert widget.parse() == '<a href="{% if 1 > 2 %}héllo{% endif %}">{% if 2 > 1 %}{{plop|date:"Y"}}{% endif %}</a>'
+
+    # make sure it is kept intact even after ckeditor escaped characters
+    widget = WysiwygTextWidget('test')
+    mock_form_submission(req, widget, {'test': '<a href="{% if 1 &gt; 2 %}héllo{% endif %}">{% if 2 &gt; 1 %}{{plop|date:&quot;Y&quot;}}{% endif %}</a>'})
+    assert not widget.has_error()
+    assert widget.parse() == '<a href="{% if 1 > 2 %}héllo{% endif %}">{% if 2 > 1 %}{{plop|date:"Y"}}{% endif %}</a>'
 
     # check we don't escape HTML if feedparser _sanitizeHTML is missing
     wcs.qommon.form._sanitizeHTML = None

wcs/qommon/form.py

@@ -1373,7 +1373,7 @@ class WysiwygTextWidget(TextWidget):
             charset = get_publisher().site_charset
             def unquote_django(matchobj):
                 return parser.unescape(unicode(matchobj.group(0), charset)).encode(charset)
-            self.value = re.sub('{%(.*?)%}', unquote_django, self.value)
+            self.value = re.sub('{[{%](.*?)[%}]}', unquote_django, self.value)
 
     def add_media(self):
         get_response().add_javascript(['qommon.wysiwyg.js'])