backoffice: escape labels in form admin pages (#67907)
This commit is contained in:
parent
a91fcf0d80
commit
05374eee52
|
@ -848,11 +848,18 @@ def test_form_workflow_role(pub):
|
|||
assert FormDef.get(1).workflow_roles == {'_receiver': '1'}
|
||||
|
||||
# check it doesn't fail if a second role with the same name exists
|
||||
role = pub.role_class(name='foobar')
|
||||
role.store()
|
||||
role2 = pub.role_class(name='foobar')
|
||||
role2.store()
|
||||
resp = app.get('/backoffice/forms/1/')
|
||||
resp = resp.click(href='role/_receiver')
|
||||
|
||||
# check HTML is escaped
|
||||
role.name = 'foo<strong>bar</strong>'
|
||||
role.store()
|
||||
resp = app.get('/backoffice/forms/1/')
|
||||
assert 'foo<strong>bar</strong>' not in resp.text
|
||||
assert 'foo<strong>bar</strong>' in resp.text
|
||||
|
||||
|
||||
def test_form_workflow_options(pub):
|
||||
create_superuser(pub)
|
||||
|
|
|
@ -21,7 +21,7 @@ from collections import defaultdict
|
|||
|
||||
from quixote import get_publisher, get_request, get_response, get_session, redirect
|
||||
from quixote.directory import AccessControlled, Directory
|
||||
from quixote.html import TemplateIO, htmltext
|
||||
from quixote.html import TemplateIO, htmlescape, htmltext
|
||||
|
||||
from wcs.backoffice.snapshots import SnapshotsDirectory
|
||||
from wcs.carddef import CardDef
|
||||
|
@ -672,7 +672,7 @@ class FormDefPage(Directory):
|
|||
'popup': 'popup' if popup else '',
|
||||
'link': link,
|
||||
'label': label,
|
||||
'current_value': current_value,
|
||||
'current_value': htmlescape(current_value),
|
||||
}
|
||||
)
|
||||
|
||||
|
|
Loading…
Reference in New Issue