From c7a075b0ce45d565a0b52882bd1c378c8266fb38 Mon Sep 17 00:00:00 2001 From: Lars Eggert Date: Tue, 18 Jul 2023 16:46:20 +0300 Subject: [PATCH 1/2] fix: Add `mark_safe` to `person_link` to prevent HTML escaping Fixes part of #5834, namely https://github.com/ietf-tools/datatracker/issues/5834#issuecomment-1627454562 --- ietf/person/templatetags/person_filters.py | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/ietf/person/templatetags/person_filters.py b/ietf/person/templatetags/person_filters.py index 017b29c63ad..8d226f3e134 100644 --- a/ietf/person/templatetags/person_filters.py +++ b/ietf/person/templatetags/person_filters.py @@ -1,6 +1,7 @@ # Copyright The IETF Trust 2017-2020, All Rights Reserved from django import template +from django.utils.html import mark_safe import debug # pyflakes:ignore @@ -59,11 +60,11 @@ def person_link(person, **kwargs): ) email = person.email_address() return { - "name": name, - "plain_name": plain_name, - "email": email, - "title": title, - "class": cls, + "name": mark_safe(name), + "plain_name": mark_safe(plain_name), + "email": mark_safe(email), + "title": mark_safe(title), + "class": mark_safe(cls), "with_email": with_email, } else: @@ -83,10 +84,10 @@ def email_person_link(email, **kwargs): ) email = email.address return { - "name": name, - "plain_name": plain_name, - "email": email, - "title": title, - "class": cls, + "name": mark_safe(name), + "plain_name": mark_safe(plain_name), + "email": mark_safe(email), + "title": mark_safe(title), + "class": mark_safe(cls), "with_email": with_email, } From d8b01ad6f4f039b3d4e7c21de54bcf454f9077cb Mon Sep 17 00:00:00 2001 From: Lars Eggert Date: Fri, 21 Jul 2023 06:06:41 -0700 Subject: [PATCH 2/2] fix: Fix tests instead of marking name safe --- ietf/group/tests_review.py | 4 ++-- ietf/person/templatetags/person_filters.py | 21 ++++++++++----------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/ietf/group/tests_review.py b/ietf/group/tests_review.py index 6ca77a0e183..6b673ad9598 100644 --- a/ietf/group/tests_review.py +++ b/ietf/group/tests_review.py @@ -41,7 +41,7 @@ def test_review_requests(self): r = self.client.get(url) self.assertEqual(r.status_code, 200) self.assertContains(r, review_req.doc.name) - self.assertContains(r, assignment.reviewer.person.name) + self.assertContains(r, escape(assignment.reviewer.person.name)) url = urlreverse(ietf.group.views.review_requests, kwargs={ 'acronym': group.acronym }) @@ -183,7 +183,7 @@ def test_reviewer_overview(self): urlreverse(ietf.group.views.reviewer_overview, kwargs={ 'acronym': group.acronym, 'group_type': group.type_id })]: r = self.client.get(url) self.assertEqual(r.status_code, 200) - self.assertContains(r, reviewer.name) + self.assertContains(r, escape(reviewer.name)) self.assertContains(r, review_req1.doc.name) # without a login, reason for being unavailable should not be seen self.assertNotContains(r, "Availability") diff --git a/ietf/person/templatetags/person_filters.py b/ietf/person/templatetags/person_filters.py index 8d226f3e134..017b29c63ad 100644 --- a/ietf/person/templatetags/person_filters.py +++ b/ietf/person/templatetags/person_filters.py @@ -1,7 +1,6 @@ # Copyright The IETF Trust 2017-2020, All Rights Reserved from django import template -from django.utils.html import mark_safe import debug # pyflakes:ignore @@ -60,11 +59,11 @@ def person_link(person, **kwargs): ) email = person.email_address() return { - "name": mark_safe(name), - "plain_name": mark_safe(plain_name), - "email": mark_safe(email), - "title": mark_safe(title), - "class": mark_safe(cls), + "name": name, + "plain_name": plain_name, + "email": email, + "title": title, + "class": cls, "with_email": with_email, } else: @@ -84,10 +83,10 @@ def email_person_link(email, **kwargs): ) email = email.address return { - "name": mark_safe(name), - "plain_name": mark_safe(plain_name), - "email": mark_safe(email), - "title": mark_safe(title), - "class": mark_safe(cls), + "name": name, + "plain_name": plain_name, + "email": email, + "title": title, + "class": cls, "with_email": with_email, }