fix: html escape char in non html field (#514)

remigermain · web-flow · commit 7b8853dc8cef · 2026-01-29T10:23:33.000+01:00
diff --git a/apps/commons/tests/test_process_text.py b/apps/commons/tests/test_process_text.py
@@ -936,3 +936,27 @@ def test_update_project_tab_item(self):
                 ),
                 content["content"],
             )
+
+    def test_html_escape_char(self):
+        self.client.force_authenticate(self.user)
+        title = "this is a & title with many & char"
+        description = "<p>this is a & description with many & char</p>"
+        purpose = "this is a & purpose with many & char"
+        payload = {
+            "title": title,
+            "description": description,
+            "is_locked": faker.boolean(),
+            "is_shareable": faker.boolean(),
+            "purpose": purpose,
+            "organizations_codes": [self.organization.code],
+            "images_ids": [],
+        }
+        response = self.client.post(reverse("Project-list"), data=payload)
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
+        content = response.json()
+
+        self.assertEqual(content["title"], title)
+        # description is a html field so all & is escaped
+        description = "<p>this is a &amp; description with many &amp; char</p>"
+        self.assertEqual(content["description"], description)
+        self.assertEqual(content["purpose"], purpose)
diff --git a/apps/commons/utils.py b/apps/commons/utils.py
@@ -1,5 +1,6 @@
 import base64
 import gc
+import html
 import io
 import itertools
 import uuid
@@ -69,14 +70,16 @@ def iter_img_b64(soup: BeautifulSoup):
             yield img
 
 
-def remove_images_text(text: str) -> str:
+def remove_images_text(text: str, unescape=True) -> str:
     """Process rich text sent by the frontend.
     Some texts can contain images
 
     Parameters
     ----------
     text : str
         The text to process.
+    escape : bool
+        escape html entities in text
 
     Returns
     -------
@@ -87,6 +90,9 @@ def remove_images_text(text: str) -> str:
 
     for img in iter_img_b64(soup):
         img.decompose()
+
+    if unescape:
+        return html.unescape(str(soup))
     return str(soup)
 
 
