fix: escaped characters in autocomplete view of link plugin (#217)

fsbraun · web-flow · commit 69ba73e28669 · 2024-04-29T15:59:00.000+02:00
diff --git a/djangocms_frontend/contrib/link/helpers.py b/djangocms_frontend/contrib/link/helpers.py
@@ -7,9 +7,6 @@
 from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import FieldError, ObjectDoesNotExist
 from django.utils.encoding import force_str
-from django.utils.html import mark_safe
-
-from djangocms_frontend.settings import EMPTY_CHOICE
 
 LINK_MODELS = getattr(django_settings, "DJANGOCMS_FRONTEND_LINK_MODELS", [])
 
@@ -62,12 +59,21 @@ def get_object_for_value(value):
     return None
 
 
+def unescape(text, nbsp):
+    return (text.replace("&nbsp;", nbsp)
+            .replace("&amp;", "&")
+            .replace("&lt;", "<")
+            .replace("&gt;", ">")
+            .replace("&quot;", '"')
+            .replace("&#x27;", "'"))
+
+
 def get_link_choices(request, term="", lang=None, nbsp=None):
     global _querysets
 
     if nbsp is None:
         nbsp = "" if term else "\u2000"
-    available_objects = [dict(id=EMPTY_CHOICE[0][0], text=EMPTY_CHOICE[0][1])]
+    available_objects = []
     # Now create our list of cms pages
     type_id = ContentType.objects.get_for_model(Page).id
     for value, descr in get_page_choices(lang):
@@ -78,7 +84,9 @@ def get_link_choices(request, term="", lang=None, nbsp=None):
                     "children": [
                         dict(
                             id=f"{type_id}-{page}",
-                            text=mark_safe(name.replace("&nbsp;", nbsp)),
+                            # django admin's autocomplete view requires unescaped strings
+                            # get_page_choices escepes strings, so we undo the escape
+                            text=unescape(name, nbsp),
                         )
                         for page, name in descr
                         if not isinstance(term, str) or term.upper() in name.upper()
diff --git a/tests/link/test_plugins.py b/tests/link/test_plugins.py
@@ -1,5 +1,6 @@
 from cms.api import add_plugin
 from cms.test_utils.testcases import CMSTestCase
+from cms.utils.urlutils import admin_reverse
 from django.http import HttpRequest
 
 from djangocms_frontend import settings
@@ -116,19 +117,6 @@ def test_plugin(self):
             f'Cound not find class="btn btn-outline-primary" in {response.content.decode("utf-8")}',
         )
 
-    def test_smart_link_field(self):
-        slf = SmartLinkField()
-        choices = get_choices(None)
-        self.assertEqual("example.com", choices[1][0])  # Site name
-        self.assertIn(("2-1", "home"), choices[1][1])
-
-        cleaned = slf.clean("2-1")
-        self.assertEqual(dict(model="cms.page", pk=1), cleaned)
-
-        self.assertEqual(slf.prepare_value("blabla"), "")
-        self.assertEqual(slf.prepare_value(dict(model="cms.page", pk=1)), "2-1")
-        self.assertEqual(slf.prepare_value(self.home), "2-1")
-
     def test_link_form(self):
         request = HttpRequest()
         request.POST = {
@@ -165,3 +153,43 @@ def test_link_form(self):
             request.POST["external_link"] = None
             form = LinkForm(request.POST)
             self.assertFalse(form.is_valid())  # no anchor for mail
+
+
+class AutocompleteViewTestCase(TestFixture, CMSTestCase):
+
+    def test_smart_link_field(self):
+        slf = SmartLinkField()
+        choices = get_choices(None)
+        self.assertEqual("example.com", choices[0][0])  # Site name
+        self.assertIn(("2-1", "home"), choices[0][1])
+
+        cleaned = slf.clean("2-1")
+        self.assertEqual(dict(model="cms.page", pk=1), cleaned)
+
+        self.assertEqual(slf.prepare_value("blabla"), "")
+        self.assertEqual(slf.prepare_value(dict(model="cms.page", pk=1)), "2-1")
+        self.assertEqual(slf.prepare_value(self.home), "2-1")
+
+    def test_autocomplete_view(self):
+        tricky_title = """d'acceuil: <script>alert("XSS");</script>"""
+        page = self.create_page(
+            title=tricky_title,
+            template="page.html",
+        )
+        expected_choices = [
+            "home", "content", tricky_title,
+        ]
+
+        self.publish(page, self.language)
+        autocomplete_url = admin_reverse("link_link_autocomplete")
+
+        with self.login_user_context(self.superuser):
+            response = self.client.get(autocomplete_url)
+
+        autocomplete_result = response.json()
+        choices = autocomplete_result.get("results")[0]
+
+        self.assertFalse((autocomplete_result.get("pagination") or {}).get("more"))
+
+        for expected, sent in zip(expected_choices, choices.get("children")):
+            self.assertEqual(expected, sent.get("text"))
