From 2854abcfa4eb7f8c40924555f350024a7e7a2af9 Mon Sep 17 00:00:00 2001
From: "Nicholas H.Tollervey" <ntoll@ntoll.org>
Date: Thu, 16 Jan 2020 14:44:14 +0000
Subject: [PATCH] Fix HTML entities being escaped in speech bubbles.

---
 securedrop_client/gui/__init__.py |  6 ++----
 tests/gui/test_init.py            | 13 +++++++------
 tests/gui/test_widgets.py         |  5 ++---
 3 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/securedrop_client/gui/__init__.py b/securedrop_client/gui/__init__.py
index 39a154d30..ea029a7da 100644
--- a/securedrop_client/gui/__init__.py
+++ b/securedrop_client/gui/__init__.py
@@ -17,8 +17,6 @@
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
 
-import html
-
 from typing import Union
 
 from PyQt5.QtWidgets import QLabel, QHBoxLayout, QPushButton, QWidget
@@ -161,8 +159,8 @@ def __init__(
         flags: Union[Qt.WindowFlags, Qt.WindowType] = Qt.WindowFlags(),
     ):
         super().__init__(parent, flags)
-        self.setTextFormat(Qt.PlainText)
         self.setText(text)
 
     def setText(self, text: str) -> None:
-        super().setText(html.escape(text, quote=False))
+        self.setTextFormat(Qt.PlainText)
+        super().setText(text)
diff --git a/tests/gui/test_init.py b/tests/gui/test_init.py
index 3da2b0961..b1451fe66 100644
--- a/tests/gui/test_init.py
+++ b/tests/gui/test_init.py
@@ -2,9 +2,7 @@
 Tests for the gui helper functions in __init__.py
 """
 
-import html
-
-from PyQt5.QtCore import QSize
+from PyQt5.QtCore import QSize, Qt
 from PyQt5.QtWidgets import QApplication
 
 from securedrop_client.gui import SecureQLabel, SvgPushButton, SvgLabel, SvgToggleButton
@@ -135,16 +133,19 @@ def test_SvgLabel_init(mocker):
 def test_SecureQLabel_init():
     label_text = '<script>alert("hi!");</script>'
     sl = SecureQLabel(label_text)
-    assert sl.text() == html.escape(label_text, quote=False)
+    assert sl.text() == label_text
 
 
-def test_SecureQLabel_setText():
+def test_SecureQLabel_setText(mocker):
     sl = SecureQLabel("hello")
     assert sl.text() == "hello"
 
     label_text = '<script>alert("hi!");</script>'
+    sl.setTextFormat = mocker.MagicMock()
     sl.setText(label_text)
-    assert sl.text() == html.escape(label_text, quote=False)
+    assert sl.text() == label_text
+    # Ensure *safe* plain text with no HTML entities.
+    sl.setTextFormat.assert_called_once_with(Qt.PlainText)
 
 
 def test_SecureQLabel_quotes_not_escaped_for_readability():
diff --git a/tests/gui/test_widgets.py b/tests/gui/test_widgets.py
index d2611a7cf..f81b76b10 100644
--- a/tests/gui/test_widgets.py
+++ b/tests/gui/test_widgets.py
@@ -1,7 +1,6 @@
 """
 Make sure the UI widgets are configured correctly and work as expected.
 """
-import html
 import pytest
 
 from PyQt5.QtCore import Qt, QEvent
@@ -1230,7 +1229,7 @@ def test_SpeechBubble_html_init(mocker):
     mock_signal = mocker.MagicMock()
 
     bubble = SpeechBubble('mock id', '<b>hello</b>', mock_signal)
-    assert bubble.message.text() == html.escape('<b>hello</b>')
+    assert bubble.message.text() == '<b>hello</b>'
 
 
 def test_SpeechBubble_with_apostrophe_in_text(mocker):
@@ -1239,7 +1238,7 @@ def test_SpeechBubble_with_apostrophe_in_text(mocker):
 
     message = "I'm sure, you are reading my message."
     bubble = SpeechBubble('mock id', message, mock_signal)
-    assert bubble.message.text() == html.escape(message, quote=False)
+    assert bubble.message.text() == message
 
 
 def test_MessageWidget_init(mocker):