Skip to content
Permalink
Browse files Browse the repository at this point in the history
avoid use of |safe filter in templates
Explicitly mark those few places where we need to pass in data that
should not be escaped on the Python side.
  • Loading branch information
yagebu committed Jul 3, 2022
1 parent c9f3ee8 commit ca9e388
Show file tree
Hide file tree
Showing 6 changed files with 27 additions and 18 deletions.
11 changes: 7 additions & 4 deletions src/fava/application.py
Expand Up @@ -35,6 +35,7 @@
from flask.wrappers import Response
from flask_babel import Babel # type: ignore
from flask_babel import get_translations
from markupsafe import Markup
from werkzeug.utils import secure_filename

from fava import __version__ as fava_version
Expand Down Expand Up @@ -384,10 +385,12 @@ def help_page(page_slug: str) -> str:
"_layout.html",
active_page="help",
page_slug=page_slug,
help_html=render_template_string(
html,
beancount_version=beancount_version,
fava_version=fava_version,
help_html=Markup(
render_template_string(
html,
beancount_version=beancount_version,
fava_version=fava_version,
)
),
HELP_PAGES=HELP_PAGES,
)
Expand Down
17 changes: 11 additions & 6 deletions src/fava/core/file.py
Expand Up @@ -22,6 +22,7 @@
from beancount.core.flags import FLAG_SUMMARIZE
from beancount.core.flags import FLAG_TRANSFER
from beancount.parser.printer import format_entry # type: ignore
from markupsafe import Markup

from fava.core._compat import FLAG_RETURNS
from fava.core._compat import FLAG_UNREALIZED
Expand Down Expand Up @@ -176,7 +177,9 @@ def insert_entries(self, entries: Entries) -> None:
)
self.ledger.extensions.after_insert_entry(entry)

def render_entries(self, entries: Entries) -> Generator[str, None, None]:
def render_entries(
self, entries: Entries
) -> Generator[Markup, None, None]:
"""Return entries in Beancount format.
Only renders :class:`.Balance` and :class:`.Transaction`.
Expand All @@ -193,12 +196,14 @@ def render_entries(self, entries: Entries) -> Generator[str, None, None]:
if isinstance(entry, Transaction) and entry.flag in EXCL_FLAGS:
continue
try:
yield get_entry_slice(entry)[0] + "\n"
yield Markup(get_entry_slice(entry)[0] + "\n")
except (KeyError, FileNotFoundError):
yield _format_entry(
entry,
self.ledger.fava_options.currency_column,
indent,
yield Markup(
_format_entry(
entry,
self.ledger.fava_options.currency_column,
indent,
)
)


Expand Down
11 changes: 6 additions & 5 deletions src/fava/template_filters.py
Expand Up @@ -12,14 +12,15 @@
from typing import MutableMapping
from typing import TypeVar

import flask
from beancount.core import compare
from beancount.core import realization
from beancount.core.account import ACCOUNT_RE
from beancount.core.data import Directive
from beancount.core.inventory import Inventory
from beancount.core.number import Decimal
from beancount.core.number import ZERO
from flask import url_for
from markupsafe import Markup

from fava.context import g
from fava.core.conversion import cost
Expand Down Expand Up @@ -145,14 +146,14 @@ def basename(file_path: str) -> str:
return unicodedata.normalize("NFC", os.path.basename(file_path))


def format_errormsg(message: str) -> str:
def format_errormsg(message: str) -> Markup:
"""Match account names in error messages and insert HTML links for them."""
match = re.search(ACCOUNT_RE, message)
if not match:
return message
return Markup(message)
account = match.group()
url = flask.url_for("account", name=account)
return (
url = url_for("account", name=account)
return Markup(
message.replace(account, f'<a href="{url}">{account}</a>')
.replace("for '", "for ")
.replace("': ", ": ")
Expand Down
2 changes: 1 addition & 1 deletion src/fava/templates/_layout.html
Expand Up @@ -43,7 +43,7 @@ <h1>
<svelte-component type="charts"></svelte-component>
{% block content %}
{% if content %}
{{ content|safe }}
{{ content }}
{% else %}
{% include active_page + '.html' %}
{% endif %}
Expand Down
2 changes: 1 addition & 1 deletion src/fava/templates/errors.html
Expand Up @@ -13,7 +13,7 @@
{% with link=url_for_source(file_path=error.source['filename'], line=error.source['lineno']) %}
<td><a class="source" href="{{ link }}" title="{{ _('Show source %(file)s:%(lineno)s', file=error.source['filename'], lineno=error.source['lineno']) }}">{{ error.source['filename'] }}</a></td>
<td class="num"><a class="source" href="{{ link }}" title="{{ _('Show source %(file)s:%(lineno)s', file=error.source['filename'], lineno=error.source['lineno']) }}">{{ error.source['lineno'] }}</a></td>
<td class="pre">{{ error.message|format_errormsg|safe }}</td>
<td class="pre">{{ error.message|format_errormsg }}</td>
{% endwith %}
</tr>
{% endfor %}
Expand Down
2 changes: 1 addition & 1 deletion src/fava/templates/help.html
Expand Up @@ -12,6 +12,6 @@ <h3>{{ _('Help pages') }}</h3>
</ul>
</div>
<div class="help-text">
{{ help_html|safe }}
{{ help_html }}
</div>
</div>

0 comments on commit ca9e388

Please sign in to comment.