misc: unquote HTML entities inside Django template tags (#27995)

2018-11-14 16:33:54 +01:00 · 2018-11-14 16:33:54 +01:00 · b928eb3a89
parent f672752020
commit b928eb3a89
2 changed files with 15 additions and 0 deletions
--- a/tests/test_widgets.py
+++ b/tests/test_widgets.py
@ -1,3 +1,5 @@
+# -*- coding: utf-8 -*-
+
 import datetime
 import sys
 import shutil
@ -384,6 +386,12 @@ def test_wysiwygwidget():
        assert not widget.has_error()
        assert widget.parse() == '<a href="">a</a>' # javascript: got filtered

+    # check django templatetags are kept intact
+    widget = WysiwygTextWidget('test')
+    mock_form_submission(req, widget, {'test': '<a href="{% if 1 > 2 %}héllo{% endif %}">{% if 2 > 1 %}plop{% endif %}</a>'})
+    assert not widget.has_error()
+    assert widget.parse() == '<a href="{% if 1 > 2 %}héllo{% endif %}">{% if 2 > 1 %}plop{% endif %}</a>'
+
    # check we don't escape HTML if feedparser _sanitizeHTML is missing
    wcs.qommon.form._sanitizeHTML = None
    widget = WysiwygTextWidget('test')
--- a/wcs/qommon/form.py
+++ b/wcs/qommon/form.py
@ -19,6 +19,7 @@ import collections
 import copy
 import cStringIO
 import fnmatch
+from HTMLParser import HTMLParser
 import mimetypes
 import os
 import re
@ -1416,6 +1417,12 @@ class WysiwygTextWidget(TextWidget):
                self.value = self.value[6:]
            if self.value.endswith('<br />'):
                self.value = self.value[:-6]
+            # unescape Django template tags
+            parser = HTMLParser()
+            charset = get_publisher().site_charset
+            def unquote_django(matchobj):
+                return parser.unescape(unicode(matchobj.group(0), charset)).encode(charset)
+            self.value = re.sub('{%(.*?)%}', unquote_django, self.value)

    def add_media(self):
        get_response().add_javascript(['qommon.wysiwyg.js'])