Merge pull request #2 from fsbraun/fix/escape

fsbraun · web-flow · commit 0dc9b41715d4 · 2024-04-29T15:22:47.000+02:00
Fix/escape
diff --git a/.github/workflows/publish-to-test-pypi.yml b/.github/workflows/publish-to-test-pypi.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     environment:
       name: pypi
-      url: https://pypi.org/p/djangocms-frontend
+      url: https://test.pypi.org/p/djangocms-frontend
     permissions:
       id-token: write
     steps:
diff --git a/README.rst b/README.rst
@@ -132,10 +132,6 @@ For a manual install:
 
 -  run ``python manage.py migrate``
 
-If you use **Django < 3.2** please also add ``django-jsonfield-backport`` to
-your ``requirements.txt`` and ``django_jsonfield_backport`` to your
-``INSTALLED_APPS`` list.
-
 **djangocms-frontend** has a weak dependencies on **djangocms-icon** you can
 install separately or by adding an option:
 
@@ -169,7 +165,7 @@ See `LICENSE <https://github.com/django-cms/djangocms-frontend/blob/master/LICEN
 .. |python| image:: https://img.shields.io/badge/python-3.7+-blue.svg
    :target: https://pypi.org/project/djangocms-frontend/
 
-.. |django| image:: https://img.shields.io/badge/django-3.2--4.2-blue.svg
+.. |django| image:: https://img.shields.io/badge/django-3.2---blue.svg
    :target: https://www.djangoproject.com/
 
 .. |djangocms| image:: https://img.shields.io/badge/django%20CMS-3.8%2B-blue.svg
diff --git a/djangocms_frontend/contrib/link/helpers.py b/djangocms_frontend/contrib/link/helpers.py
@@ -7,7 +7,6 @@
 from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import FieldError, ObjectDoesNotExist
 from django.utils.encoding import force_str
-from django.utils.html import mark_safe
 
 from djangocms_frontend.settings import EMPTY_CHOICE
 
@@ -62,6 +61,15 @@ def get_object_for_value(value):
     return None
 
 
+def unescape(text, nbsp):
+    return (text.replace("&nbsp;", nbsp)
+            .replace("&amp;", "&")
+            .replace("&lt;", "<")
+            .replace("&gt;", ">")
+            .replace("&quot;", '"')
+            .replace("&#x27;", "'"))
+
+
 def get_link_choices(request, term="", lang=None, nbsp=None):
     global _querysets
 
@@ -78,7 +86,9 @@ def get_link_choices(request, term="", lang=None, nbsp=None):
                     "children": [
                         dict(
                             id=f"{type_id}-{page}",
-                            text=mark_safe(name.replace("&nbsp;", nbsp)),
+                            # django admin's autocomplete view requires unescaped strings
+                            # get_page_choices escepes strings, so we undo the escape
+                            text=unescape(name, nbsp),
                         )
                         for page, name in descr
                         if not isinstance(term, str) or term.upper() in name.upper()
