strip tags on API summary/description (bug 666380)

jbalogh · Jun 22, 2011 · 652e75d · 652e75d
1 parent b5f88bc
commit 652e75d
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 7 deletions.
diff --git a/apps/api/tests/test_legacy.py b/apps/api/tests/test_legacy.py
@@ -36,16 +36,30 @@ def test_json_not_implemented():
 class UtilsTest(TestCase):
     fixtures = ['base/addon_3615']
 
+    def setUp(self):
+        self.a = Addon.objects.get(pk=3615)
+
     def test_dict(self):
-        "Verify that we're getting dict."
-        a = Addon.objects.get(pk=3615)
-        d = api.utils.addon_to_dict(a)
-        assert d['learnmore'].endswith('/addon/a3615/?src=api')
-        d = api.utils.addon_to_dict(a, disco=True)
+        """Verify that we're getting dict."""
+        d = api.utils.addon_to_dict(self.a)
+        assert d, 'Add-on dictionary not found'
+        assert d['learnmore'].endswith('/addon/a3615/?src=api'), (
+            'Add-on details URL does not end with "?src=api"')
+
+    def test_dict_disco(self):
+        """Ensure that the """
+        d = api.utils.addon_to_dict(self.a, disco=True)
         u = '%s%s?src=api' % (settings.SERVICES_URL,
             reverse('discovery.addons.detail', args=['a3615']))
         eq_(d['learnmore'], u)
 
+    def test_sanitize(self):
+        self.a.summary = self.a.description = 'i <3 <a href="">amo</a>!'
+        self.a.save()
+        d = api.utils.addon_to_dict(self.a)
+        eq_(d['summary'], 'i &lt;3 amo!')
+        eq_(d['description'], 'i &lt;3 amo!')
+
 
 class No500ErrorsTest(TestCase):
     """

diff --git a/apps/api/utils.py b/apps/api/utils.py
@@ -1,4 +1,5 @@
 from django.conf import settings
+from django.utils.html import strip_tags
 
 import amo
 from amo.urlresolvers import reverse
@@ -28,8 +29,8 @@ def addon_to_dict(addon, disco=False):
          'type': amo.ADDON_SLUGS_UPDATE[addon.type],
          'author': (addon.listed_authors[0].name if
                     addon.listed_authors else ''),
-         'summary': addon.summary,
-         'description': addon.description,
+         'summary': strip_tags(addon.summary),
+         'description': strip_tags(addon.description),
          'icon': addon.icon_url,
          'learnmore': learnmore,
          'reviews': url(addon.reviews_url),