misc: add proper escaping to map data attribution string (#89579)

2024-04-15 12:57:21 +02:00 · 2024-04-15 12:57:21 +02:00 · c9d6bb9f15
parent 2590ea3b7e
commit c9d6bb9f15
2 changed files with 20 additions and 5 deletions
--- a/tests/backoffice_pages/test_all.py
+++ b/tests/backoffice_pages/test_all.py
@ -1603,8 +1603,18 @@ def test_backoffice_map(pub):
    resp = app.get('/backoffice/management/form-title/')
    assert 'Plot on a Map' in resp.text
    resp = resp.click('Plot on a Map')
-    assert 'data-geojson-url' in resp.text
-    assert 'tiles.entrouvert.org/' in resp.text
+    assert (
+        resp.pyquery('.qommon-map')[0].attrib['data-geojson-url']
+        == 'http://example.net/backoffice/management/form-title/geojson?'
+    )
+    assert (
+        resp.pyquery('.qommon-map')[0].attrib['data-tile-urltemplate']
+        == 'https://tiles.entrouvert.org/hdm/{z}/{x}/{y}.png'
+    )
+    assert (
+        resp.pyquery('.qommon-map')[0].attrib['data-map-attribution']
+        == 'Map data &copy; <a href="https://www.openstreetmap.org/copyright">OpenStreetMap</a>'
+    )

    if not pub.site_options.has_section('options'):
        pub.site_options.add_section('options')
@ -1615,7 +1625,10 @@ def test_backoffice_map(pub):

    resp = app.get('/backoffice/management/form-title/')
    resp = resp.click('Plot on a Map')
-    assert 'tile.example.net/' in resp.text
+    assert (
+        resp.pyquery('.qommon-map')[0].attrib['data-tile-urltemplate']
+        == 'https://{s}.tile.example.net/{z}/{x}/{y}.png'
+    )

    # check query string is kept
    resp = app.get('/backoffice/management/form-title/map?filter=all')
--- a/wcs/qommon/publisher.py
+++ b/wcs/qommon/publisher.py
@ -20,6 +20,7 @@ import collections
 import configparser
 import datetime
 import hashlib
+import html
 import inspect
 import io
 import json
@ -833,8 +834,9 @@ class QommonPublisher(Publisher):
            attrs['data-max-bounds-lat2'], attrs['data-max-bounds-lng2'] = self.get_site_option(
                'map-bounds-bottom-right'
            ).split(';')
-        attrs['data-map-attribution'] = self.get_site_option('map-attribution') or _(
-            'Map data &copy; <a href="https://www.openstreetmap.org/copyright">OpenStreetMap</a>'
+        attrs['data-map-attribution'] = html.escape(
+            self.get_site_option('map-attribution')
+            or _('Map data &copy; <a href="https://www.openstreetmap.org/copyright">OpenStreetMap</a>')
        )
        attrs['data-tile-urltemplate'] = (
            self.get_site_option('map-tile-urltemplate') or 'https://tiles.entrouvert.org/hdm/{z}/{x}/{y}.png'