Don't encode already encoded entities

2021-03-12 19:06:12 +01:00 · 2021-03-12 19:06:12 +01:00 · 41d5414245
commit 41d5414245
parent 1c7f83acf6
2 changed files with 4 additions and 7 deletions
--- a/tests/test_www/test_util.py
+++ b/tests/test_www/test_util.py
@ -41,6 +41,8 @@ class TestFormatMode(unittest.TestCase):
            ('test <danger>', 'test &lt;danger&gt;'),
            ('test <danger="true">', 'test &lt;danger=&quot;true&quot;&gt;'),
            ("test <danger='true'>", 'test &lt;danger=&#x27;true&#x27;&gt;'),
+            ('test&test', 'test&amp;test'),
+            ('test&amp;test', 'test&amp;test'),
        )

        for input, output in tests:
--- a/www/lib/kojiweb/util.py
+++ b/www/lib/kojiweb/util.py
@ -106,12 +106,7 @@ class DecodeUTF8(Cheetah.Filters.Filter):
 class XHTMLFilter(DecodeUTF8):
    def filter(self, *args, **kw):
        result = super(XHTMLFilter, self).filter(*args, **kw)
-        result = result.replace('&', '&amp;')
-        result = result.replace('&amp;amp;', '&amp;')
-        result = result.replace('&amp;nbsp;', '&nbsp;')
-        result = result.replace('&amp;lt;', '&lt;')
-        result = result.replace('&amp;gt;', '&gt;')
-        return result
+        return re.sub(r'&(?![a-zA-Z0-9#]+;)', '&amp;', result)


 TEMPLATES = {}
@ -600,7 +595,7 @@ def escapeHTML(value):
        return value

    value = koji.fixEncoding(value)
-    return value.replace('&', '&amp;').\
+    return re.sub(r'&(?![a-zA-Z0-9#]+;)', '&amp;', value).\
        replace('<', '&lt;').\
        replace('>', '&gt;').\
        replace('"', '&quot;').\