[Fixes #5138] Escape Hierarchical-tags

GeoNode · Oct 29, 2019 · fdd2c85 · fdd2c85
1 parent 7bab9e1
commit fdd2c85
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/geonode/base/models.py b/geonode/base/models.py
@@ -41,6 +41,7 @@
 from django.core.files.base import ContentFile
 from django.contrib.gis.geos import GEOSGeometry
 from django.utils.timezone import now
+from django.utils.html import escape
 
 from mptt.models import MPTTModel, TreeForeignKey
 
@@ -383,6 +384,8 @@ def add(self, *tags):
         tag_objs.update(existing)
         for new_tag in str_tags - set(t.name for t in existing):
             if new_tag:
+                new_tag = escape(new_tag)
+                new_tag = "".join(new_tag.split())
                 tag_objs.add(HierarchicalKeyword.add_root(name=new_tag))
 
         for tag in tag_objs:

diff --git a/geonode/layers/tests.py b/geonode/layers/tests.py
@@ -258,6 +258,18 @@ def test_layer_save(self):
                 u'here', u'keywords', u'populartag', u'saving',
                 u'ß', u'ä', u'ö', u'ü', u'論語'])
 
+        # Test input escape
+        lyr.keywords.add(*["Europe<script>true;</script>",
+                           "land_<script>true;</script>covering",
+                           "<IMG SRC='javascript:true;'>Science"])
+
+        self.assertEqual(
+            lyr.keyword_list(), [
+                u'&lt;IMGSRC=&#39;javascript:true;&#39;&gt;Science', u'Europe&lt;script&gt;true;&lt;/script&gt;',
+                u'here', u'keywords', u'land_&lt;script&gt;true;&lt;/script&gt;covering', u'populartag', u'saving',
+                u'ß', u'ä', u'ö', u'ü', u'論語'])
+
+
         self.client.login(username='admin', password='admin')
         response = self.client.get(reverse('layer_detail', args=(lyr.alternate,)))
         self.failUnlessEqual(response.status_code, 200)
@@ -277,7 +289,13 @@ def test_layer_save(self):
             {"text": u"ä", "href": "a", "id": 10},
             {"text": u"ö", "href": "o", "id": 7},
             {"text": u"ü", "href": "u", "id": 8},
-            {"text": u"論語", "href": "lun-yu", "id": 6}
+            {"text": u"論語", "href": "lun-yu", "id": 6},
+            {"text": u"Europe&lt;script&gt;true;&lt;/script&gt;",
+                "href": "u'europeltscriptgttrueltscriptgt", "id": 12},
+            {"text": u"land_&lt;script&gt;true;&lt;/script&gt;covering",
+                "href": "u'land_ltscriptgttrueltscriptgtcovering", "id": 13},
+            {"text": u"&lt;IMGSRC=&#39;javascript:true;&#39;&gt;Science",
+                "href": "u'ltimgsrc39javascripttrue39gtscience", "id": 11},
         ]))
 
     def test_layer_links(self):