misc: unquote HTML entities inside Django template tags (#27995)
This commit is contained in:
parent
f672752020
commit
b928eb3a89
|
@ -1,3 +1,5 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
|
||||
import datetime
|
||||
import sys
|
||||
import shutil
|
||||
|
@ -384,6 +386,12 @@ def test_wysiwygwidget():
|
|||
assert not widget.has_error()
|
||||
assert widget.parse() == '<a href="">a</a>' # javascript: got filtered
|
||||
|
||||
# check django templatetags are kept intact
|
||||
widget = WysiwygTextWidget('test')
|
||||
mock_form_submission(req, widget, {'test': '<a href="{% if 1 > 2 %}héllo{% endif %}">{% if 2 > 1 %}plop{% endif %}</a>'})
|
||||
assert not widget.has_error()
|
||||
assert widget.parse() == '<a href="{% if 1 > 2 %}héllo{% endif %}">{% if 2 > 1 %}plop{% endif %}</a>'
|
||||
|
||||
# check we don't escape HTML if feedparser _sanitizeHTML is missing
|
||||
wcs.qommon.form._sanitizeHTML = None
|
||||
widget = WysiwygTextWidget('test')
|
||||
|
|
|
@ -19,6 +19,7 @@ import collections
|
|||
import copy
|
||||
import cStringIO
|
||||
import fnmatch
|
||||
from HTMLParser import HTMLParser
|
||||
import mimetypes
|
||||
import os
|
||||
import re
|
||||
|
@ -1416,6 +1417,12 @@ class WysiwygTextWidget(TextWidget):
|
|||
self.value = self.value[6:]
|
||||
if self.value.endswith('<br />'):
|
||||
self.value = self.value[:-6]
|
||||
# unescape Django template tags
|
||||
parser = HTMLParser()
|
||||
charset = get_publisher().site_charset
|
||||
def unquote_django(matchobj):
|
||||
return parser.unescape(unicode(matchobj.group(0), charset)).encode(charset)
|
||||
self.value = re.sub('{%(.*?)%}', unquote_django, self.value)
|
||||
|
||||
def add_media(self):
|
||||
get_response().add_javascript(['qommon.wysiwyg.js'])
|
||||
|
|
Loading…
Reference in New Issue