backoffice: escape labels in form admin pages (#67907)

2022-08-03 11:58:21 +02:00 · 2022-08-03 11:58:21 +02:00 · 05374eee52
parent a91fcf0d80
commit 05374eee52
2 changed files with 11 additions and 4 deletions
--- a/tests/admin_pages/test_form.py
+++ b/tests/admin_pages/test_form.py
@ -848,11 +848,18 @@ def test_form_workflow_role(pub):
    assert FormDef.get(1).workflow_roles == {'_receiver': '1'}

    # check it doesn't fail if a second role with the same name exists
-    role = pub.role_class(name='foobar')
-    role.store()
+    role2 = pub.role_class(name='foobar')
+    role2.store()
    resp = app.get('/backoffice/forms/1/')
    resp = resp.click(href='role/_receiver')

+    # check HTML is escaped
+    role.name = 'foo<strong>bar</strong>'
+    role.store()
+    resp = app.get('/backoffice/forms/1/')
+    assert 'foo<strong>bar</strong>' not in resp.text
+    assert 'foo&lt;strong&gt;bar&lt;/strong&gt;' in resp.text
+

 def test_form_workflow_options(pub):
    create_superuser(pub)
--- a/wcs/admin/forms.py
+++ b/wcs/admin/forms.py
@ -21,7 +21,7 @@ from collections import defaultdict

 from quixote import get_publisher, get_request, get_response, get_session, redirect
 from quixote.directory import AccessControlled, Directory
-from quixote.html import TemplateIO, htmltext
+from quixote.html import TemplateIO, htmlescape, htmltext

 from wcs.backoffice.snapshots import SnapshotsDirectory
 from wcs.carddef import CardDef
@ -672,7 +672,7 @@ class FormDefPage(Directory):
                'popup': 'popup' if popup else '',
                'link': link,
                'label': label,
-                'current_value': current_value,
+                'current_value': htmlescape(current_value),
            }
        )