Skip to content

Commit

Permalink
Merge pull request #703 from ntoll/force-plaintext-html-entities
Browse files Browse the repository at this point in the history
Fix HTML entities being escaped in speech bubbles.
  • Loading branch information
kushaldas committed Jan 20, 2020
2 parents acfe31c + 2854abc commit 7e876d7
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 13 deletions.
6 changes: 2 additions & 4 deletions securedrop_client/gui/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,6 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
"""

import html

from typing import Union

from PyQt5.QtWidgets import QLabel, QHBoxLayout, QPushButton, QWidget
Expand Down Expand Up @@ -161,8 +159,8 @@ def __init__(
flags: Union[Qt.WindowFlags, Qt.WindowType] = Qt.WindowFlags(),
):
super().__init__(parent, flags)
self.setTextFormat(Qt.PlainText)
self.setText(text)

def setText(self, text: str) -> None:
super().setText(html.escape(text, quote=False))
self.setTextFormat(Qt.PlainText)
super().setText(text)
13 changes: 7 additions & 6 deletions tests/gui/test_init.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
Tests for the gui helper functions in __init__.py
"""

import html

from PyQt5.QtCore import QSize
from PyQt5.QtCore import QSize, Qt
from PyQt5.QtWidgets import QApplication

from securedrop_client.gui import SecureQLabel, SvgPushButton, SvgLabel, SvgToggleButton
Expand Down Expand Up @@ -135,16 +133,19 @@ def test_SvgLabel_init(mocker):
def test_SecureQLabel_init():
label_text = '<script>alert("hi!");</script>'
sl = SecureQLabel(label_text)
assert sl.text() == html.escape(label_text, quote=False)
assert sl.text() == label_text


def test_SecureQLabel_setText():
def test_SecureQLabel_setText(mocker):
sl = SecureQLabel("hello")
assert sl.text() == "hello"

label_text = '<script>alert("hi!");</script>'
sl.setTextFormat = mocker.MagicMock()
sl.setText(label_text)
assert sl.text() == html.escape(label_text, quote=False)
assert sl.text() == label_text
# Ensure *safe* plain text with no HTML entities.
sl.setTextFormat.assert_called_once_with(Qt.PlainText)


def test_SecureQLabel_quotes_not_escaped_for_readability():
Expand Down
5 changes: 2 additions & 3 deletions tests/gui/test_widgets.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
"""
Make sure the UI widgets are configured correctly and work as expected.
"""
import html
import pytest

from PyQt5.QtCore import Qt, QEvent
Expand Down Expand Up @@ -1245,7 +1244,7 @@ def test_SpeechBubble_html_init(mocker):
mock_signal = mocker.MagicMock()

bubble = SpeechBubble('mock id', '<b>hello</b>', mock_signal)
assert bubble.message.text() == html.escape('<b>hello</b>')
assert bubble.message.text() == '<b>hello</b>'


def test_SpeechBubble_with_apostrophe_in_text(mocker):
Expand All @@ -1254,7 +1253,7 @@ def test_SpeechBubble_with_apostrophe_in_text(mocker):

message = "I'm sure, you are reading my message."
bubble = SpeechBubble('mock id', message, mock_signal)
assert bubble.message.text() == html.escape(message, quote=False)
assert bubble.message.text() == message


def test_MessageWidget_init(mocker):
Expand Down

0 comments on commit 7e876d7

Please sign in to comment.