Properly escapes single/double quotes in formcode

OneGov · Jun 21, 2018 · df53b21 · df53b21
1 parent 4c6a70c
commit df53b21
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 6 deletions.
diff --git a/HISTORY.rst b/HISTORY.rst
@@ -1,5 +1,9 @@
 Changelog
 ---------
+
+- Properly escapes single/double quotes in formcode.
+  [href]
+
 0.33.3 (2018-06-04)
 ~~~~~~~~~~~~~~~~~~~
 

diff --git a/onegov/form/parser/core.py b/onegov/form/parser/core.py
@@ -886,13 +886,19 @@ def translate_to_yaml(text):
     actual_fields = 0
     ix = 0
 
+    def escape_single(text):
+        return text.replace("'", "''")
+
+    def escape_double(text):
+        return text.replace('"', '\\"')
+
     for ix, line in lines:
 
         indent = ' ' * (4 + (len(line) - len(line.lstrip())))
 
         # the top level are the fieldsets
         if match(ELEMENTS.fieldset_title, line):
-            yield '- "{}":'.format(line.lstrip('# ').rstrip())
+            yield '- "{}":'.format(escape_double(line.lstrip('# ').rstrip()))
             expect_nested = False
             continue
 
@@ -906,8 +912,8 @@ def translate_to_yaml(text):
             yield '{indent}- "{identifier}": !{type} \'{definition}\''.format(
                 indent=indent,
                 type=parse_result.type,
-                identifier=line.split('=')[0].strip(),
-                definition=line.split('=')[1].strip()
+                identifier=escape_double(line.split('=')[0].strip()),
+                definition=escape_single(line.split('=')[1].strip())
             )
             expect_nested = len(indent) > 4
             actual_fields += 1
@@ -923,7 +929,7 @@ def translate_to_yaml(text):
             yield '{indent}- !{type} \'{definition}\':'.format(
                 indent=indent,
                 type=parse_result.type,
-                definition=line.strip()
+                definition=escape_single(line.strip())
             )
             continue
 
@@ -936,7 +942,7 @@ def translate_to_yaml(text):
 
             yield '{indent}- "{identifier}":'.format(
                 indent=indent,
-                identifier=line.strip()
+                identifier=escape_double(line.strip())
             )
 
             expect_nested = True

diff --git a/onegov/form/tests/test_parser.py b/onegov/form/tests/test_parser.py
@@ -266,6 +266,25 @@ def test_parse_radio():
     assert form.gender.default == 'Female'
 
 
+def test_parse_radio_escape():
+
+    text = dedent("""
+        # "For sure"
+        Let's go =
+            ( ) Yeah, let's
+            (x) No, let's not
+    """)
+
+    form = parse_form(text)()
+
+    assert len(form._fields) == 1
+    assert form.for_sure_let_s_go.choices == [
+        ("Yeah, let's", "Yeah, let's"),
+        ("No, let's not", "No, let's not"),
+    ]
+    assert form.for_sure_let_s_go.default == "No, let's not"
+
+
 def test_parse_checkbox():
 
     text = dedent("""

diff --git a/onegov/form/utils.py b/onegov/form/utils.py
@@ -13,7 +13,7 @@
 
 
 def as_internal_id(label):
-    clean = unidecode(label).strip(' ').lower()
+    clean = unidecode(label).strip(' \"\'').lower()
     clean = _unwanted_characters.sub('_', clean)
 
     return clean