diff --git a/app/main/views/templates.py b/app/main/views/templates.py index cb6831304..203ae0b64 100644 --- a/app/main/views/templates.py +++ b/app/main/views/templates.py @@ -276,7 +276,7 @@ def edit_service_template(service_id, template_id): if form.process_type.data != template['process_type']: abort_403_if_not_admin_user() - subject = escape_html(form.subject.data) if hasattr(form, 'subject') else None + subject = form.subject.data if hasattr(form, 'subject') else None new_template = get_template({ 'name': form.name.data, 'content': form.template_content.data, diff --git a/tests/app/main/views/test_templates.py b/tests/app/main/views/test_templates.py index d4777468f..b321ca50a 100644 --- a/tests/app/main/views/test_templates.py +++ b/tests/app/main/views/test_templates.py @@ -360,7 +360,7 @@ def test_should_show_interstitial_when_making_breaking_change( 'name': "new name", 'template_content': "hello lets talk about ((thing))", 'template_type': 'email', - 'subject': 'reminder & ((name))', + 'subject': 'reminder \'" & ((name))', 'service': service_id, 'process_type': 'normal' } @@ -377,12 +377,18 @@ def test_should_show_interstitial_when_making_breaking_change( for key, value in { 'name': 'new name', - 'subject': 'reminder & ((name))', + 'subject': 'reminder \'" & ((name))', 'template_content': 'hello lets talk about ((thing))', 'confirm': 'true' }.items(): assert page.find('input', {'name': key})['value'] == value + # BeautifulSoup returns the value attribute as unencoded, let’s make + # sure that it is properly encoded in the HTML + assert str(page.find('input', {'name': 'subject'})) == ( + """""" + ) + def test_should_not_create_too_big_template( logged_in_client, @@ -450,7 +456,7 @@ def test_should_redirect_when_saving_a_template_email( template_id = fake_uuid name = "new name" content = "template content with & entity ((thing)) ((date))" - subject = "subject" + subject = "subject & entity" data = { 'id': template_id, 'name': name,