Merge 76ae43f into cdd54e2

hasgeek · Jan 9, 2020 · 90681cc · 90681cc
2 parents cdd54e2 + 76ae43f
commit 90681cc
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 2 deletions.
diff --git a/baseframe/forms/fields.py b/baseframe/forms/fields.py
@@ -9,7 +9,7 @@
 from flask import current_app
 from flask_wtf import RecaptchaField
 from wtforms.compat import text_type
-from wtforms.fields import FileField
+from wtforms.fields import FileField, Label
 from wtforms.fields import SelectField as SelectFieldBase
 from wtforms.fields import SelectMultipleField, SubmitField
 from wtforms.utils import unset_value
@@ -36,6 +36,7 @@
 
 __all__ = [
     # Imported from WTForms
+    'Label',
     'FileField',
     'SelectMultipleField',
     'SubmitField',

diff --git a/baseframe/forms/patch_wtforms.py b/baseframe/forms/patch_wtforms.py
@@ -6,7 +6,7 @@
 
 from __future__ import absolute_import
 
-from flask import escape
+from flask import Markup, escape
 import wtforms
 
 __all__ = []
@@ -71,3 +71,23 @@ def field_init(
 
 _patch_wtforms_field_init()
 del _patch_wtforms_field_init
+
+
+def _patch_label_call():
+    """Escape text before display (bug in WTForms < 3.0)"""
+
+    def label_call(self, text=None, **kwargs):
+        if "for_" in kwargs:
+            kwargs["for"] = kwargs.pop("for_")
+        else:
+            kwargs.setdefault("for", self.field_id)
+
+        attributes = wtforms.widgets.html_params(**kwargs)
+        text = escape(text or self.text)
+        return Markup("<label %s>%s</label>" % (attributes, text))
+
+    wtforms.fields.core.Label.__call__ = label_call
+
+
+_patch_label_call()
+del _patch_label_call
diff --git a/tests/test_fields.py b/tests/test_fields.py
@@ -186,3 +186,14 @@ def test_non_serializable(self):
         self.form.jsondata.data = {"key": datetime.now()}
         with self.assertRaises(TypeError):
             self.form.jsondata._value()
+
+    def test_escaped_label_text(self):
+        label = forms.Label('test', '<script>alert("test");</script>')
+        self.assertEqual(
+            label(for_='foo'),
+            """<label for="foo">&lt;script&gt;alert(&#34;test&#34;);&lt;/script&gt;</label>""",
+        )
+        self.assertEqual(
+            label(**{'for': 'bar'}),
+            """<label for="bar">&lt;script&gt;alert(&#34;test&#34;);&lt;/script&gt;</label>""",
+        )