Merge pull request #703 from ntoll/force-plaintext-html-entities

Fix HTML entities being escaped in speech bubbles.
freedomofpress · Jan 20, 2020 · 7e876d7 · 7e876d7
2 parents acfe31c + 2854abc
commit 7e876d7
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 13 deletions.
diff --git a/securedrop_client/gui/__init__.py b/securedrop_client/gui/__init__.py
@@ -17,8 +17,6 @@
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
 
-import html
-
 from typing import Union
 
 from PyQt5.QtWidgets import QLabel, QHBoxLayout, QPushButton, QWidget
@@ -161,8 +159,8 @@ def __init__(
         flags: Union[Qt.WindowFlags, Qt.WindowType] = Qt.WindowFlags(),
     ):
         super().__init__(parent, flags)
-        self.setTextFormat(Qt.PlainText)
         self.setText(text)
 
     def setText(self, text: str) -> None:
-        super().setText(html.escape(text, quote=False))
+        self.setTextFormat(Qt.PlainText)
+        super().setText(text)
diff --git a/tests/gui/test_init.py b/tests/gui/test_init.py
@@ -2,9 +2,7 @@
 Tests for the gui helper functions in __init__.py
 """
 
-import html
-
-from PyQt5.QtCore import QSize
+from PyQt5.QtCore import QSize, Qt
 from PyQt5.QtWidgets import QApplication
 
 from securedrop_client.gui import SecureQLabel, SvgPushButton, SvgLabel, SvgToggleButton
@@ -135,16 +133,19 @@ def test_SvgLabel_init(mocker):
 def test_SecureQLabel_init():
     label_text = '<script>alert("hi!");</script>'
     sl = SecureQLabel(label_text)
-    assert sl.text() == html.escape(label_text, quote=False)
+    assert sl.text() == label_text
 
 
-def test_SecureQLabel_setText():
+def test_SecureQLabel_setText(mocker):
     sl = SecureQLabel("hello")
     assert sl.text() == "hello"
 
     label_text = '<script>alert("hi!");</script>'
+    sl.setTextFormat = mocker.MagicMock()
     sl.setText(label_text)
-    assert sl.text() == html.escape(label_text, quote=False)
+    assert sl.text() == label_text
+    # Ensure *safe* plain text with no HTML entities.
+    sl.setTextFormat.assert_called_once_with(Qt.PlainText)
 
 
 def test_SecureQLabel_quotes_not_escaped_for_readability():

diff --git a/tests/gui/test_widgets.py b/tests/gui/test_widgets.py
@@ -1,7 +1,6 @@
 """
 Make sure the UI widgets are configured correctly and work as expected.
 """
-import html
 import pytest
 
 from PyQt5.QtCore import Qt, QEvent
@@ -1245,7 +1244,7 @@ def test_SpeechBubble_html_init(mocker):
     mock_signal = mocker.MagicMock()
 
     bubble = SpeechBubble('mock id', '<b>hello</b>', mock_signal)
-    assert bubble.message.text() == html.escape('<b>hello</b>')
+    assert bubble.message.text() == '<b>hello</b>'
 
 
 def test_SpeechBubble_with_apostrophe_in_text(mocker):
@@ -1254,7 +1253,7 @@ def test_SpeechBubble_with_apostrophe_in_text(mocker):
 
     message = "I'm sure, you are reading my message."
     bubble = SpeechBubble('mock id', message, mock_signal)
-    assert bubble.message.text() == html.escape(message, quote=False)
+    assert bubble.message.text() == message
 
 
 def test_MessageWidget_init(mocker):