Document we only support str and int for now in format_values

We don't support nested dictionaries in `format_values` or random objects. Only `str` and `int`. That should be enough for now. Skip all the values that are not `str` or `int` from the format values to render the messages.
readthedocs · Jan 4, 2024 · 24bd75d · 24bd75d
1 parent 2030e3d
commit 24bd75d
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/readthedocs/notifications/messages.py b/readthedocs/notifications/messages.py
@@ -41,8 +41,16 @@ def _escape_format_values(self, format_values):
         This is a protection against rendering potential values defined by the user.
         It uses the Django's util function ``escape`` (similar to ``|escape`` template tag filter)
         to convert HTML characters into regular characters.
+
+        NOTE: currently, we don't support values that are not ``str`` or ``int``.
+        If we want to support other types or nested dictionaries,
+        we will need to iterate recursively to apply the ``escape`` function.
         """
-        return {key: escape(value) for key, value in format_values.items()}
+        return {
+            key: escape(value)
+            for key, value in format_values.items()
+            if isinstance(value, (str, int))
+        }
 
     def set_format_values(self, format_values):
         self.format_values = self._escape_format_values(format_values)

diff --git a/readthedocs/notifications/tests/test_messages.py b/readthedocs/notifications/tests/test_messages.py
@@ -20,6 +20,25 @@ def test_xss_protection(self):
         assert message.get_rendered_header() == "XSS: &lt;p&gt;xss&lt;/p&gt;"
         assert message.get_rendered_body() == "XSS: &lt;span&gt;xss&lt;/span&gt;"
 
+    def test_invalid_format_values_type(self):
+        message = Message(
+            id="test",
+            header="Header: {dict}",
+            body="Body: {dict}",
+            type=INFO,
+        )
+        message.set_format_values(
+            {
+                "dict": {
+                    "key": "value",
+                },
+            }
+        )
+
+        # The rendered version skips the ``dict`` because it's not supported
+        assert message.get_rendered_header() == "Header: "
+        assert message.get_rendered_body() == "Body: "
+
     def test_missing_key_format_values(self):
         message = Message(
             id="test",