fix(jinja): autoescape data passed to template when merging (#444)

Resolves #438
adfinis · Nov 4, 2021 · 2ac030e · 2ac030e
1 parent 65eb2fa
commit 2ac030e
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 1 deletion.
diff --git a/document_merge_service/api/engines.py b/document_merge_service/api/engines.py
@@ -142,7 +142,7 @@ def merge(self, data, buf):
         doc = DocxTemplate(self.template)
         data["_tpl"] = doc
 
-        doc.render(data, get_jinja_env())
+        doc.render(data, get_jinja_env(), autoescape=True)
         doc.save(buf)
         return buf
 

diff --git a/document_merge_service/api/tests/snapshots/snap_test_template.py b/document_merge_service/api/tests/snapshots/snap_test_template.py
@@ -4,6 +4,7 @@
 
 from snapshottest import Snapshot
 
+
 snapshots = Snapshot()
 
 snapshots[
@@ -105,6 +106,39 @@
 </w:body>
 """
 
+snapshots[
+    "test_merge_expression[{{escapeme}}-template_content3] 1"
+] = """<w:body xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml">
+  <w:p>
+    <w:pPr>
+      <w:pStyle w:val="Normal"/>
+      <w:rPr/>
+    </w:pPr>
+    <w:r>
+      <w:rPr>
+        <w:lang w:val="de-CH" w:eastAsia="zh-CN" w:bidi="hi-IN"/>
+      </w:rPr>
+      <w:t xml:space="preserve">Test</w:t>
+    </w:r>
+    <w:r>
+      <w:rPr>
+        <w:lang w:val="de-CH" w:eastAsia="zh-CN" w:bidi="hi-IN"/>
+      </w:rPr>
+      <w:t xml:space="preserve">: &lt;&amp;&gt;</w:t>
+    </w:r>
+  </w:p>
+  <w:sectPr>
+    <w:type w:val="nextPage"/>
+    <w:pgSz w:w="11906" w:h="16838"/>
+    <w:pgMar w:left="1134" w:right="1134" w:header="0" w:top="1134" w:footer="0" w:bottom="1134" w:gutter="0"/>
+    <w:pgNumType w:fmt="decimal"/>
+    <w:formProt w:val="false"/>
+    <w:textDirection w:val="lrTb"/>
+    <w:docGrid w:type="default" w:linePitch="240" w:charSpace="0"/>
+  </w:sectPr>
+</w:body>
+"""
+
 snapshots["test_template_detail 1"] = {
     "available_placeholders": None,
     "description": """Article star very capital morning option. Interesting station story.

diff --git a/document_merge_service/api/tests/test_template.py b/document_merge_service/api/tests/test_template.py
@@ -540,6 +540,8 @@ def test_template_merge_docx(
             '{{NAME and ", represents " + NAME}}',
             {"NAME": ""},
         ),
+        # passed data should be escaped
+        ("{{escapeme}}", {"escapeme": "<&>"}),
     ],
 )
 def test_merge_expression(