Escape dictionary curly bracket before renderingin HTML (#42)

chadell · web-flow · commit b533bad8dab7 · 2022-05-06T18:31:25.000+02:00
* Escape dictionary curly bracket before renderingin HTML

* use mark_safe instead of format_html

* add line

* Use mark_safe one the html has been already escaped

* no need to mark_safe a string

* Add some basic tests for render_diff

* add another case

* add test docstring
diff --git a/nautobot_ssot/templatetags/render_diff.py b/nautobot_ssot/templatetags/render_diff.py
@@ -1,6 +1,7 @@
 """Template tag for rendering a DiffSync diff dictionary in a more human-readable form."""
 
 from django import template
+from django.utils.safestring import mark_safe
 from django.utils.html import format_html
 
 
@@ -42,25 +43,24 @@ def render_diff_recursive(diff):
                 child_class = "diff-unchanged"
             else:
                 child_class = "diff-changed"
-            child_result += f'<li class="{child_class}">{child}<ul>'
+            child_result += format_html('<li class="{}">{}<ul>', child_class, child)
 
             for attr, value in child_diffs.pop("+", {}).items():
-                child_result += f'<li class="diff-added">{attr}: {value}</li>'
+                child_result += format_html('<li class="diff-added">{}: {}</li>', attr, value)
 
             for attr, value in child_diffs.pop("-", {}).items():
-                child_result += f'<li class="diff-subtracted">{attr}: {value}</li>'
+                child_result += format_html('<li class="diff-subtracted">{}: {}</li>', attr, value)
 
             if child_diffs:
                 child_result += render_diff_recursive(child_diffs)
 
             child_result += "</ul></li>"
-        result += f"<li>{record_type}<ul>{child_result}</ul></li>"
+        result += format_html("<li>{}<ul>{}</ul></li>", record_type, mark_safe(child_result))  # nosec
     return result
 
 
 @register.simple_tag
 def render_diff(diff):
     """Render a DiffSync diff dict to HTML."""
-    result = f"<ul>{render_diff_recursive(diff)}</ul>"
-
-    return format_html(result)
+    html_text = render_diff_recursive(diff)
+    return format_html("<ul>{}</ul>", mark_safe(html_text))  # nosec
diff --git a/nautobot_ssot/tests/test_render_diff.py b/nautobot_ssot/tests/test_render_diff.py
@@ -0,0 +1,64 @@
+"""Test Render_diff templatetags."""
+import unittest
+from nautobot_ssot.templatetags.render_diff import render_diff
+
+
+test_params = [
+    (
+        {
+            "region": {
+                "Catalonia": {"+": {"parent_name": None}, "-": {"parent_name": "Europe"}},
+            }
+        },
+        '<ul><li>region<ul><li class="diff-changed">Catalonia<ul><li class="diff-added">parent_name: None</li><li class="diff-subtracted">parent_name: Europe</li></ul></li></ul></li></ul>',
+    ),
+    (
+        {
+            "region": {
+                "Barcelona": {
+                    "+": {
+                        "cfs": {"asw_owner": ""},
+                        "slug": "barcelona",
+                        "description": "",
+                        "parent_name": "Catalonia",
+                    }
+                },
+            }
+        },
+        '<ul><li>region<ul><li class="diff-added">Barcelona<ul><li class="diff-added">cfs: {&#x27;asw_owner&#x27;: &#x27;&#x27;}</li><li class="diff-added">slug: barcelona</li><li class="diff-added">description: </li><li class="diff-added">parent_name: Catalonia</li></ul></li></ul></li></ul>',
+    ),
+    (
+        {
+            "model_name": {
+                "element": {
+                    "-": {
+                        "cfs": {"this is a XSS": "<script>alert(document.cookie)</script>"},
+                    }
+                },
+            }
+        },
+        '<ul><li>model_name<ul><li class="diff-subtracted">element<ul><li class="diff-subtracted">cfs: {&#x27;this is a XSS&#x27;: &#x27;&lt;script&gt;alert(document.cookie)&lt;/script&gt;&#x27;}</li></ul></li></ul></li></ul>',
+    ),
+    (
+        {
+            "model_name": {
+                "element": {
+                    "-": {
+                        "description": "<script>alert(document.cookie)</script>",
+                    }
+                },
+            }
+        },
+        '<ul><li>model_name<ul><li class="diff-subtracted">element<ul><li class="diff-subtracted">description: &lt;script&gt;alert(document.cookie)&lt;/script&gt;</li></ul></li></ul></li></ul>',
+    ),
+]
+
+
+class TestRenderDiff(unittest.TestCase):
+    """Tests for render_diff function."""
+
+    def test_render_diff_as_expected(self):
+        """Testing expected escaped and rendered HTML."""
+        for input_dict, rendered_diff in test_params:
+            with self.subTest():
+                self.assertEqual(render_diff(input_dict), rendered_diff)
