Escape special symbols when exporting JSON. Fixes #78

tcms/templates/case/common/json_cases.txt

@@ -9,7 +9,7 @@
             "<img class='expand blind_icon' src='{% static "images/t1.gif" %}' border='0' alt=''>",
             "<input type='checkbox' name='case' value='{{ test_case.case_id }}'>",
             "<a href='{% url "testcases-get" test_case.case_id %}'>{{ test_case.case_id }}</a>",
-            "<a id='link_{{ test_case.case_id }}' href='{% url "testcases-get" test_case.case_id %}'>{{ test_case.summary }}</a>",
+            "<a id='link_{{ test_case.case_id }}' href='{% url "testcases-get" test_case.case_id %}'>{{ test_case.summary|escapejs|escape }}</a>",
             "<a href='{% url "tcms-profile" test_case.author.username %}'>{{ test_case.author }}</a>",
             {% if test_case.default_tester_id %}
                 "<a href='{% url "tcms-profile" test_case.default_tester.username %}'>{{ test_case.default_tester }}</a>"

tcms/templates/plan/common/json_plan_runs.txt

@@ -7,7 +7,7 @@
 		[
 			"<input type='checkbox' name='run' value='{{ run.pk }}' class='run_selector'>",
 			"<a href='{% url "testruns-get" run.run_id %}' >{{ run.run_id }}</a>",
-			"<a href='{% url "testruns-get" run.run_id %}' >{{ run.summary }}</a>",
+			"<a href='{% url "testruns-get" run.run_id %}' >{{ run.summary|escapejs|escape }}</a>",
 			"<a href='{% url "tcms-profile" run.manager.username %}'>{{ run.manager }}</a>",
 			{% if run.default_tester_id %}
 				"<a href='{% url "tcms-profile" run.default_tester.username %}'>{{ run.default_tester }}</a>"

tcms/templates/plan/common/json_plans.txt

@@ -9,7 +9,7 @@
         "DT_RowClass": {% if not test_plan.is_active %}"line-through inactive"{%else%}""{% endif %},
         "0":"<input type='checkbox' name='plan' value='{{ test_plan.pk }}' title='Select/Unselect'>",
         "1":"<a href='{{ test_plan.get_absolute_url }}'>{{ test_plan.plan_id }}</a>",
-        "2":"<a href='{{ test_plan.get_absolute_url }}' title='Go to {{ test_plan.name }}'>{{ test_plan }} </a>",
+        "2":"<a href='{{ test_plan.get_absolute_url }}' title='Go to {{ test_plan.name|escapejs|escape }}'>{{ test_plan|escapejs|escape }} </a>",
         "3":"<a href='{% url "tcms-profile" test_plan.author.username %}'>{{ test_plan.author }}</a>",
         {% if test_plan.owner %}
             "4":"<a href='{% url "tcms-profile" test_plan.owner.username %}'>{{ test_plan.owner }}</a>"

tcms/templates/run/common/json_runs.txt

@@ -7,7 +7,7 @@
 	[
 		"<input type='checkbox' name='run' value='{{  run.pk  }}' class='run_selector'>",
 		"<a href='{% url "testruns-get" run.run_id %}'>{{  run.run_id  }}</a>",
-		"<a href='{% url "testruns-get" run.run_id %}'>{{  run.summary  }}</a>",
+		"<a href='{% url "testruns-get" run.run_id %}'>{{  run.summary|escapejs|escape  }}</a>",
 		"<a href='{% url "tcms-profile" run.manager.username %}'>{{  run.manager  }}</a>",
 		{% if run.default_tester_id %}
 			"<a href='{% url "tcms-profile" run.default_tester.username %}'>{{ run.default_tester }}</a>"

tcms/testcases/tests.py

@@ -832,6 +832,12 @@ class TestAJAXSearchCases(BasePlanCase):
     def setUpTestData(cls):
         super(TestAJAXSearchCases, cls).setUpTestData()
 
+        # test data for Issue #78
+        # https://github.com/kiwitcms/Kiwi/issues/78
+        cls.case_bogus_summary = TestCaseFactory(
+            summary="""A Test Case with backslash(\), single quotes(') and double quotes(")""",
+            plan=[cls.plan])
+
         cls.search_data = {
             'summary': '',
             'author': '',

tcms/testplans/tests.py

@@ -851,12 +851,21 @@ def setUpTestData(cls):
         super(TestAJAXSearch, cls).setUpTestData()
 
         # Add more plans for testing search
-        for i in range(25):
+        for i in range(24):
             TestPlanFactory(author=cls.tester,
                             owner=cls.tester,
                             product=cls.product,
                             product_version=cls.version)
 
+        # test data for Issue #78
+        # https://github.com/kiwitcms/Kiwi/issues/78
+        cls.plan_bogus_name = TestPlanFactory(
+            name="""A name with backslash(\), single quotes(') and double quotes(")""",
+            author=cls.tester,
+            owner=cls.tester,
+            product=cls.product,
+            product_version=cls.version)
+
         # So far, each test has 26 plans
 
         cls.search_url = reverse('plans-ajax_search')
@@ -882,6 +891,18 @@ def setUpTestData(cls):
             'bSortable_4': 'true',
         }
 
+    def test_search_all_runs(self):
+        response = self.client.get(self.search_url, {'is_active': 'on'})
+
+        data = json.loads(str(response.content, encoding=settings.DEFAULT_CHARSET))
+        self.assertEqual(0, data['sEcho'])
+        self.assertEqual(TestPlan.objects.count(), data['iTotalRecords'])
+        self.assertEqual(TestPlan.objects.count(), data['iTotalDisplayRecords'])
+        for i, plan in enumerate(TestPlan.objects.all()):
+            self.assertEqual(
+                "<a href='{}'>{}</a>".format(plan.get_absolute_url(), plan.pk),
+                data['aaData'][i]['1'])
+
     def test_emtpy_plans(self):
         response = self.client.get(self.search_url, {})
 

tcms/testplans/views.py

@@ -404,8 +404,7 @@ def ajax_search(request, template_name='plan/common/json_plans.txt'):
         'num_runs',
         ''
     ]
-    return ajax_response(request, tps, column_names,
-                         'plan/common/json_plans.txt')
+    return ajax_response(request, tps, column_names, template_name)
 
 
 def ajax_response(request, queryset, column_names, template_name):

tcms/testruns/tests/test_views.py

@@ -656,6 +656,13 @@ def setUpTestData(cls):
             default_tester=cls.run_tester,
             tag=[TestTagFactory(name='rhel')])
 
+        # test data for Issue #78
+        # https://github.com/kiwitcms/Kiwi/issues/78
+        cls.run_bogus_summary = TestRunFactory(
+            summary="""A summary with backslash(\), single quotes(') and double quotes(")""",
+            manager=cls.tester,
+            default_tester=UserFactory(username='bogus_tester', email='bogus@example.com'))
+
         cls.search_data = {
             'action': 'search',
             # Add criteria for searching runs in each test
@@ -843,6 +850,35 @@ def test_search_by_tag(self):
                                search_result)
 
 
+class TestLoadRunsOfOnePlan(BaseCaseRun):
+    """
+    When the user goes to Test Plan -> Runs tab this view gets loaded.
+    It also uses a JSON template like AJAX search and it is succeptible to
+    bad characters in the Test Run summary.
+    """
+
+    @classmethod
+    def setUpTestData(cls):
+        super(TestLoadRunsOfOnePlan, cls).setUpTestData()
+
+        # test data for Issue #78
+        # https://github.com/kiwitcms/Kiwi/issues/78
+        cls.run_bogus_summary = TestRunFactory(
+            summary="""A summary with backslash(\), single quotes(') and double quotes(")""",
+            plan=cls.plan)
+
+    def test_load_runs(self):
+        load_url = reverse('load_runs_of_one_plan_url', args=[self.plan.pk])
+        response = self.client.get(load_url, {'plan': self.plan.pk})
+
+        # verify JSON can be parsed correctly (for #78)
+        data = json.loads(str(response.content, encoding=settings.DEFAULT_CHARSET))
+
+        # verify there is the same number of objects loaded
+        self.assertEqual(TestRun.objects.filter(plan=self.plan).count(), data['iTotalRecords'])
+        self.assertEqual(TestRun.objects.filter(plan=self.plan).count(), data['iTotalDisplayRecords'])
+
+
 class TestAddRemoveRunCC(BaseCaseRun):
     """Test view tcms.testruns.views.cc"""