From b48214feac03f96798ac229632608fc1f08bf303 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Thu, 22 Feb 2024 16:39:35 +0100
Subject: [PATCH] misc: do not decorate uploaded HTML files (#87331)

---
 tests/form_pages/test_file_field.py | 36 +++++++++++++++++++++++++++++
 wcs/admin/data_sources.py           |  2 +-
 wcs/admin/users.py                  |  2 +-
 wcs/admin/wscalls.py                |  2 +-
 wcs/backoffice/management.py        | 12 +++++-----
 wcs/backoffice/submission.py        |  2 +-
 wcs/compat.py                       |  4 ++--
 wcs/forms/common.py                 |  4 ++--
 wcs/qommon/http_response.py         |  1 +
 wcs/qommon/template.py              |  2 +-
 10 files changed, 52 insertions(+), 15 deletions(-)

diff --git a/tests/form_pages/test_file_field.py b/tests/form_pages/test_file_field.py
index 75cd0dd46..81ec055bd 100644
--- a/tests/form_pages/test_file_field.py
+++ b/tests/form_pages/test_file_field.py
@@ -238,6 +238,42 @@ def test_form_file_field_image_submit(pub):
     assert '<img alt="" src="tempfile?' not in resp.text
 
 
+def test_form_file_field_html_submit(pub):
+    FormDef.wipe()
+    formdef = FormDef()
+    formdef.name = 'test'
+    formdef.fields = [fields.FileField(id='0', label='file')]
+    formdef.store()
+    formdef.data_class().wipe()
+
+    html_content = b'<html><body>hello</body></html>'
+    upload = Upload('test.html', html_content, 'text/html')
+
+    app = get_app(pub)
+    resp = app.get('/test/')
+    resp.forms[0]['f0$file'] = upload
+    resp = resp.forms[0].submit('submit')
+    assert 'Check values then click submit.' in resp.text
+    tempfile_id = resp.pyquery('.fileinfo .filename a').attr.href.split('=')[1]
+
+    resp_tempfile = app.get('/test/tempfile?t=%s' % tempfile_id)
+    assert resp_tempfile.body == html_content
+
+    resp = resp.form.submit('submit').follow()
+    assert resp.click('test.html').follow().content_type == 'text/html'
+    assert resp.click('test.html').follow().body == html_content
+
+    # check it's also served raw from backoffice
+    user = create_user(pub)
+    user.is_admin = True
+    user.store()
+    app = get_app(pub)
+    login(app, username='foo', password='foo')
+    resp = app.get(formdef.data_class().select()[0].get_backoffice_url())
+    assert resp.click('test.html').follow().content_type == 'text/html'
+    assert resp.click('test.html').follow().body == html_content
+
+
 def test_form_file_field_submit_document_type(pub):
     FormDef.wipe()
     formdef = FormDef()
diff --git a/wcs/admin/data_sources.py b/wcs/admin/data_sources.py
index 882c45802..9523f045f 100644
--- a/wcs/admin/data_sources.py
+++ b/wcs/admin/data_sources.py
@@ -388,7 +388,7 @@ class NamedDataSourcePage(Directory):
     def preview_block(self):
         get_request().disable_error_notifications = True
         get_request().ignore_session = True
-        get_response().filter = {'raw': True}
+        get_response().raw = True
         data_source = self.datasource.extended_data_source
         try:
             items = get_structured_items(data_source)
diff --git a/wcs/admin/users.py b/wcs/admin/users.py
index bb332f9e1..780474441 100644
--- a/wcs/admin/users.py
+++ b/wcs/admin/users.py
@@ -401,7 +401,7 @@ class UsersDirectory(Directory):
         r += htmltext('</div>')
 
         if get_request().form.get('ajax') == 'true':
-            get_response().filter = {'raw': True}
+            get_response().raw = True
             return r.getvalue()
 
         ident_methods = get_cfg('identification', {}).get('methods', [])
diff --git a/wcs/admin/wscalls.py b/wcs/admin/wscalls.py
index 7de057c0e..0a606a864 100644
--- a/wcs/admin/wscalls.py
+++ b/wcs/admin/wscalls.py
@@ -161,7 +161,7 @@ class NamedWsCallPage(Directory):
     def usage(self):
         get_request().disable_error_notifications = True
         get_request().ignore_session = True
-        get_response().filter = {'raw': True}
+        get_response().raw = True
 
         usage = {}
 
diff --git a/wcs/backoffice/management.py b/wcs/backoffice/management.py
index ee3d8335c..de27754e2 100644
--- a/wcs/backoffice/management.py
+++ b/wcs/backoffice/management.py
@@ -717,7 +717,7 @@ class ManagementDirectory(Directory):
 
         if get_request().form.get('ajax') == 'true':
             get_request().ignore_session = True
-            get_response().filter = {'raw': True}
+            get_response().raw = True
             return r.getvalue()
 
         get_response().filter['sidebar'] = self.get_global_listing_sidebar(
@@ -2442,7 +2442,7 @@ class FormPage(Directory, TempfileDirectoryMixin):
 
         if get_request().form.get('ajax') == 'true':
             get_request().ignore_session = True
-            get_response().filter = {'raw': True}
+            get_response().raw = True
             r = TemplateIO(html=True)
             r += multi_form.render()
             r += get_session().display_message()
@@ -3129,7 +3129,7 @@ class FormPage(Directory, TempfileDirectoryMixin):
 
         if get_request().form.get('ajax') == 'true':
             get_request().ignore_session = True
-            get_response().filter = {'raw': True}
+            get_response().raw = True
             return r.getvalue()
 
         page = TemplateIO(html=True)
@@ -3368,13 +3368,13 @@ class FormBackOfficeStatusPage(FormStatusPage):
 
     def lateral_block(self):
         self.check_receiver()
-        get_response().filter = {'raw': True}
+        get_response().raw = True
         response = self.get_lateral_block()
         return response
 
     def user_pending_forms(self):
         self.check_receiver()
-        get_response().filter = {'raw': True}
+        get_response().raw = True
         response = self.get_user_pending_forms()
 
         # preemptive locking of forms
@@ -4159,7 +4159,7 @@ class FormBackOfficeStatusPage(FormStatusPage):
             or get_publisher().get_backoffice_root().is_accessible('workflows')
         ):
             raise errors.AccessForbiddenError()
-        get_response().filter = {'raw': True}
+        get_response().raw = True
         return self.test_tool_result()
 
 
diff --git a/wcs/backoffice/submission.py b/wcs/backoffice/submission.py
index fe757ddec..a898b3987 100644
--- a/wcs/backoffice/submission.py
+++ b/wcs/backoffice/submission.py
@@ -175,7 +175,7 @@ class FormFillPage(PublicFormFillPage):
         return super()._q_index(*args, **kwargs)
 
     def lateral_block(self):
-        get_response().filter = {'raw': True}
+        get_response().raw = True
         response = self.get_lateral_block()
         return response
 
diff --git a/wcs/compat.py b/wcs/compat.py
index a234208e5..712188a6f 100644
--- a/wcs/compat.py
+++ b/wcs/compat.py
@@ -92,7 +92,7 @@ class TemplateWithFallbackView(TemplateView):
             response.reason_phrase = self.quixote_response.reason_phrase
         elif request.headers.get('X-Popup') == 'true':
             response = HttpResponse('<div><div class="popup-content">%s</div></div>' % context['body'])
-        elif 'raw' in (getattr(self.quixote_response, 'filter') or {}):
+        elif self.quixote_response.raw:
             # used for raw HTML snippets (for example in the test tool
             # results in inspect page).
             response = HttpResponse(context['body'])
@@ -161,7 +161,7 @@ class CompatWcsPublisher(WcsPublisher):
         if response.status_code == 304:
             # clients don't like to receive content with a 304
             return ''
-        if response.content_type != 'text/html':
+        if response.content_type != 'text/html' or response.raw:
             return output
         if not hasattr(response, 'filter') or not response.filter:
             return output
diff --git a/wcs/forms/common.py b/wcs/forms/common.py
index 6713c3f13..7e1c1283d 100644
--- a/wcs/forms/common.py
+++ b/wcs/forms/common.py
@@ -112,7 +112,7 @@ class FileDirectory(Directory):
 
         # force potential HTML upload to be used as-is (not decorated with theme)
         # and with minimal permissions
-        response.filter = {}
+        response.raw = True
         response.set_header(
             'Content-Security-Policy',
             'default-src \'none\'; img-src %s;' % get_request().build_absolute_uri(),
@@ -1074,7 +1074,7 @@ class TempfileDirectoryMixin:
 
         # force potential HTML upload to be used as-is (not decorated with theme)
         # and with minimal permissions
-        response.filter = {}
+        response.raw = True
         response.set_header(
             'Content-Security-Policy',
             'default-src \'none\'; img-src %s;' % get_request().build_absolute_uri(),
diff --git a/wcs/qommon/http_response.py b/wcs/qommon/http_response.py
index e76f65766..3582af7cc 100644
--- a/wcs/qommon/http_response.py
+++ b/wcs/qommon/http_response.py
@@ -28,6 +28,7 @@ class HTTPResponse(quixote.http_response.HTTPResponse):
     javascript_code_parts = None
     css_includes = None
     after_jobs = None
+    raw = False  # in case of html content, send result as is (True) or embedded in page template (False)
 
     def __init__(self, charset=None, **kwargs):
         quixote.http_response.HTTPResponse.__init__(self, charset=charset, **kwargs)
diff --git a/wcs/qommon/template.py b/wcs/qommon/template.py
index 5a0fce34b..0f92621e0 100644
--- a/wcs/qommon/template.py
+++ b/wcs/qommon/template.py
@@ -78,7 +78,7 @@ def error_page(error_message, error_title=None, location_hint=None):
 def get_decorate_vars(body, response, generate_breadcrumb=True, **kwargs):
     from .publisher import get_cfg
 
-    if response.content_type != 'text/html':
+    if response.content_type != 'text/html' or response.raw:
         return {'body': body}
 
     if get_request().get_header('x-popup') == 'true':