Escape single and double quotes as well, plus add test

2021-03-12 13:30:00 +01:00 · 2021-03-12 13:30:00 +01:00 · 1c7f83acf6
commit 1c7f83acf6
parent a233a0ca72
2 changed files with 17 additions and 2 deletions
--- a/tests/test_www/test_util.py
+++ b/tests/test_www/test_util.py
@ -1,6 +1,6 @@
 import unittest

-from kojiweb.util import formatMode, formatLink
+from kojiweb.util import formatMode, formatLink, escapeHTML

 class TestFormatMode(unittest.TestCase):
    def test_format_mode(self):
@ -34,3 +34,14 @@ class TestFormatMode(unittest.TestCase):

        for input, output in formats:
            self.assertEqual(formatLink(input), output)
+
+    def test_escape_html(self):
+        tests = (
+            ('test me', 'test me'),
+            ('test <danger>', 'test &lt;danger&gt;'),
+            ('test <danger="true">', 'test &lt;danger=&quot;true&quot;&gt;'),
+            ("test <danger='true'>", 'test &lt;danger=&#x27;true&#x27;&gt;'),
+        )
+
+        for input, output in tests:
+            self.assertEqual(escapeHTML(input), output)
--- a/www/lib/kojiweb/util.py
+++ b/www/lib/kojiweb/util.py
@ -593,6 +593,8 @@ def escapeHTML(value):
    < : &lt;
    > : &gt;
    & : &amp;
+    " : &quot;
+    ' : &#x27;
    """
    if not value:
        return value
@ -600,7 +602,9 @@ def escapeHTML(value):
    value = koji.fixEncoding(value)
    return value.replace('&', '&amp;').\
        replace('<', '&lt;').\
-        replace('>', '&gt;')
+        replace('>', '&gt;').\
+        replace('"', '&quot;').\
+        replace("'", '&#x27;')


 def authToken(template, first=False, form=False):