Stop template subjects getting saved encoded

This is another problem with sanitising HTML, this with with it getting
encoded where it shouldn’t be. The result was, when editing a template,
the API getting sent an encoded rather than raw version of the subject
(for letters and emails).

The reason this happened is because BeautifulSoup behaves in an
unexpected way.

When accessing the `value` attribute of an `input` BeautifulSoup returns
an unencoded version of the contents. In other words it returns what the
user would see in the page, not what is in the raw HTML of the page.

This meant that we were trying too hard to see an `&` instead of a
`&` in our tests[1]. So things were actually working fine before adding
the call to `escape_html`[2], but from the output of the tests it didn’t
look like HTML was getting escaped.

So this commit fixes the bug by removing the call to `escape_html` and
adding a test that looks at the raw HTML, to complement the existing
test which looks at just the `value` attribute.

1. Relevant test added here: https://github.com/alphagov/notifications-admin/pull/1178/files#diff-f2eb304b93cc383727c0ab7fc8fbd464R289
2. Call added here: https://github.com/alphagov/notifications-admin/pull/1178/files#diff-f0af582449ebf426f27f37e38f310057R252
This commit is contained in:
Chris Hill-Scott
2017-04-14 08:52:02 +01:00
parent 569cd93c49
commit 267b58a66d
2 changed files with 10 additions and 4 deletions

View File

@@ -276,7 +276,7 @@ def edit_service_template(service_id, template_id):
if form.process_type.data != template['process_type']:
abort_403_if_not_admin_user()
subject = escape_html(form.subject.data) if hasattr(form, 'subject') else None
subject = form.subject.data if hasattr(form, 'subject') else None
new_template = get_template({
'name': form.name.data,
'content': form.template_content.data,