Merge pull request #4 from fsbraun/fix/escape

fsbraun · web-flow · commit 591870989817 · 2024-04-29T16:02:17.000+02:00
Fix/escape
diff --git a/djangocms_frontend/contrib/link/helpers.py b/djangocms_frontend/contrib/link/helpers.py
@@ -8,8 +8,6 @@
 from django.core.exceptions import FieldError, ObjectDoesNotExist
 from django.utils.encoding import force_str
 
-from djangocms_frontend.settings import EMPTY_CHOICE
-
 LINK_MODELS = getattr(django_settings, "DJANGOCMS_FRONTEND_LINK_MODELS", [])
 
 
@@ -75,7 +73,7 @@ def get_link_choices(request, term="", lang=None, nbsp=None):
 
     if nbsp is None:
         nbsp = "" if term else "\u2000"
-    available_objects = [dict(id=EMPTY_CHOICE[0][0], text=EMPTY_CHOICE[0][1])]
+    available_objects = []
     # Now create our list of cms pages
     type_id = ContentType.objects.get_for_model(Page).id
     for value, descr in get_page_choices(lang):
diff --git a/tests/link/test_plugins.py b/tests/link/test_plugins.py
@@ -1,5 +1,6 @@
 from cms.api import add_plugin
 from cms.test_utils.testcases import CMSTestCase
+from cms.utils.urlutils import admin_reverse
 from django.http import HttpRequest
 
 from djangocms_frontend import settings
@@ -116,19 +117,6 @@ def test_plugin(self):
             f'Cound not find class="btn btn-outline-primary" in {response.content.decode("utf-8")}',
         )
 
-    def test_smart_link_field(self):
-        slf = SmartLinkField()
-        choices = get_choices(None)
-        self.assertEqual("example.com", choices[1][0])  # Site name
-        self.assertIn(("2-1", "home"), choices[1][1])
-
-        cleaned = slf.clean("2-1")
-        self.assertEqual(dict(model="cms.page", pk=1), cleaned)
-
-        self.assertEqual(slf.prepare_value("blabla"), "")
-        self.assertEqual(slf.prepare_value(dict(model="cms.page", pk=1)), "2-1")
-        self.assertEqual(slf.prepare_value(self.home), "2-1")
-
     def test_link_form(self):
         request = HttpRequest()
         request.POST = {
@@ -165,3 +153,43 @@ def test_link_form(self):
             request.POST["external_link"] = None
             form = LinkForm(request.POST)
             self.assertFalse(form.is_valid())  # no anchor for mail
+
+
+class AutocompleteViewTestCase(TestFixture, CMSTestCase):
+
+    def test_smart_link_field(self):
+        slf = SmartLinkField()
+        choices = get_choices(None)
+        self.assertEqual("example.com", choices[0][0])  # Site name
+        self.assertIn(("2-1", "home"), choices[0][1])
+
+        cleaned = slf.clean("2-1")
+        self.assertEqual(dict(model="cms.page", pk=1), cleaned)
+
+        self.assertEqual(slf.prepare_value("blabla"), "")
+        self.assertEqual(slf.prepare_value(dict(model="cms.page", pk=1)), "2-1")
+        self.assertEqual(slf.prepare_value(self.home), "2-1")
+
+    def test_autocomplete_view(self):
+        tricky_title = """d'acceuil: <script>alert("XSS");</script>"""
+        page = self.create_page(
+            title=tricky_title,
+            template="page.html",
+        )
+        expected_choices = [
+            "home", "content", tricky_title,
+        ]
+
+        self.publish(page, self.language)
+        autocomplete_url = admin_reverse("link_link_autocomplete")
+
+        with self.login_user_context(self.superuser):
+            response = self.client.get(autocomplete_url)
+
+        autocomplete_result = response.json()
+        choices = autocomplete_result.get("results")[0]
+
+        self.assertFalse((autocomplete_result.get("pagination") or {}).get("more"))
+
+        for expected, sent in zip(expected_choices, choices.get("children")):
+            self.assertEqual(expected, sent.get("text"))
