workflows: do not use django templating by default in workflows (#21317)

2018-01-22 13:06:59 +01:00 · 2018-01-22 13:06:59 +01:00 · f97734c48b
parent 337f0a476c
commit f97734c48b
2 changed files with 8 additions and 1 deletions
--- a/tests/test_workflows.py
+++ b/tests/test_workflows.py
@ -162,6 +162,13 @@ def test_variable_compute(pub):
    # django wins
    assert item.compute('{{ form_var_foo }} [bar]', context={'bar': 'world'}) == 'hello [bar]'

+    # django template, no escaping by default
+    formdata.data = {'1': '<b>hello</b>'}
+    formdata.store()
+    assert item.compute('{{ form_var_foo }}') == '<b>hello</b>'  # autoescape off by default
+    assert item.compute('{{ form_var_foo|safe }}') == '<b>hello</b>'  # no escaping (implicit |safe)
+    assert item.compute('{{ form_var_foo|escape }}') == '&lt;b&gt;hello&lt;/b&gt;'  #escaping
+
 def test_variable_compute_dates(pub):
    FormDef.wipe()
    formdef = FormDef()
--- a/wcs/workflows.py
+++ b/wcs/workflows.py
@ -1632,7 +1632,7 @@ class WorkflowStatusItem(XmlSerialisable):

        if not var.startswith('='):
            try:
-                return Template(var, raises=raises).render(vars)
+                return Template(var, raises=raises, autoescape=False).render(vars)
            except TemplateError:
                if raises:
                    raise