From 71a8b05fd50d60f9532aab45b2d5f97d79fc12bc Mon Sep 17 00:00:00 2001 From: Michael Z Date: Mon, 19 Sep 2022 14:38:10 -0400 Subject: [PATCH] Do not escape org name twice If the entry is escaped, we'd need to mark every use of it in the templates as `| safe` which is more dubious than not escaping the database entry in the first place. Fixes #6357 --- securedrop/journalist_app/admin.py | 3 +-- securedrop/tests/test_journalist.py | 20 -------------------- 2 files changed, 1 insertion(+), 22 deletions(-) diff --git a/securedrop/journalist_app/admin.py b/securedrop/journalist_app/admin.py index bb62ea43cf..24ee10af76 100644 --- a/securedrop/journalist_app/admin.py +++ b/securedrop/journalist_app/admin.py @@ -2,7 +2,6 @@ import binascii import os -from html import escape from typing import Optional, Union import werkzeug @@ -132,7 +131,7 @@ def update_org_name() -> Union[str, werkzeug.Response]: if form.validate_on_submit(): try: value = request.form["organization_name"] - InstanceConfig.set_organization_name(escape(value, quote=True)) + InstanceConfig.set_organization_name(value) flash(gettext("Preferences saved."), "org-name-success") except Exception: flash(gettext("Failed to update organization name."), "org-name-error") diff --git a/securedrop/tests/test_journalist.py b/securedrop/tests/test_journalist.py index 5981621404..ed1ed2c9f5 100644 --- a/securedrop/tests/test_journalist.py +++ b/securedrop/tests/test_journalist.py @@ -7,7 +7,6 @@ import random import zipfile from base64 import b64decode -from html import escape as htmlescape from io import BytesIO from pathlib import Path @@ -2003,25 +2002,6 @@ def test_orgname_oversized_fails(config, journalist_app, test_admin, locale): assert InstanceConfig.get_current().organization_name == "SecureDrop" -@flaky(rerun_filter=utils.flaky_filter_xfail) -@pytest.mark.parametrize("locale", get_test_locales()) -def test_orgname_html_escaped(config, journalist_app, test_admin, locale): - t_name = '"> ' - with journalist_app.test_client() as app: - _login_user(app, test_admin["username"], test_admin["password"], test_admin["otp_secret"]) - form = journalist_app_module.forms.OrgNameForm(organization_name=t_name) - assert InstanceConfig.get_current().organization_name == "SecureDrop" - with InstrumentedApp(journalist_app) as ins: - resp = app.post( - url_for("admin.update_org_name", l=locale), data=form.data, follow_redirects=True - ) - assert page_language(resp.data) == language_tag(locale) - msgids = ["Preferences saved."] - with xfail_untranslated_messages(config, locale, msgids): - ins.assert_message_flashed(gettext(msgids[0]), "org-name-success") - assert InstanceConfig.get_current().organization_name == htmlescape(t_name, quote=True) - - def test_logo_default_available(journalist_app): # if the custom image is available, this test will fail custom_image_location = os.path.join(config.SECUREDROP_ROOT, "static/i/custom_logo.png")