Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix HTML entities being escaped in speech bubbles. #703

Merged
merged 1 commit into from
Jan 20, 2020
Merged

Fix HTML entities being escaped in speech bubbles. #703

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 2 additions & 4 deletions securedrop_client/gui/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,6 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
"""

import html

from typing import Union

from PyQt5.QtWidgets import QLabel, QHBoxLayout, QPushButton, QWidget
Expand Down Expand Up @@ -161,8 +159,8 @@ def __init__(
flags: Union[Qt.WindowFlags, Qt.WindowType] = Qt.WindowFlags(),
):
super().__init__(parent, flags)
self.setTextFormat(Qt.PlainText)
self.setText(text)

def setText(self, text: str) -> None:
super().setText(html.escape(text, quote=False))
self.setTextFormat(Qt.PlainText)
super().setText(text)
13 changes: 7 additions & 6 deletions tests/gui/test_init.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@
Tests for the gui helper functions in __init__.py
"""

import html

from PyQt5.QtCore import QSize
from PyQt5.QtCore import QSize, Qt
from PyQt5.QtWidgets import QApplication

from securedrop_client.gui import SecureQLabel, SvgPushButton, SvgLabel, SvgToggleButton
Expand Down Expand Up @@ -135,16 +133,19 @@ def test_SvgLabel_init(mocker):
def test_SecureQLabel_init():
label_text = '<script>alert("hi!");</script>'
sl = SecureQLabel(label_text)
assert sl.text() == html.escape(label_text, quote=False)
assert sl.text() == label_text


def test_SecureQLabel_setText():
def test_SecureQLabel_setText(mocker):
sl = SecureQLabel("hello")
assert sl.text() == "hello"

label_text = '<script>alert("hi!");</script>'
sl.setTextFormat = mocker.MagicMock()
sl.setText(label_text)
assert sl.text() == html.escape(label_text, quote=False)
assert sl.text() == label_text
# Ensure *safe* plain text with no HTML entities.
sl.setTextFormat.assert_called_once_with(Qt.PlainText)


def test_SecureQLabel_quotes_not_escaped_for_readability():
Expand Down
5 changes: 2 additions & 3 deletions tests/gui/test_widgets.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
"""
Make sure the UI widgets are configured correctly and work as expected.
"""
import html
import pytest

from PyQt5.QtCore import Qt, QEvent
Expand Down Expand Up @@ -1230,7 +1229,7 @@ def test_SpeechBubble_html_init(mocker):
mock_signal = mocker.MagicMock()

bubble = SpeechBubble('mock id', '<b>hello</b>', mock_signal)
assert bubble.message.text() == html.escape('<b>hello</b>')
assert bubble.message.text() == '<b>hello</b>'


def test_SpeechBubble_with_apostrophe_in_text(mocker):
Expand All @@ -1239,7 +1238,7 @@ def test_SpeechBubble_with_apostrophe_in_text(mocker):

message = "I'm sure, you are reading my message."
bubble = SpeechBubble('mock id', message, mock_signal)
assert bubble.message.text() == html.escape(message, quote=False)
assert bubble.message.text() == message


def test_MessageWidget_init(mocker):
Expand Down