Uses Markup in controls

seantis · Sep 20, 2023 · e26c028 · e26c028
1 parent fe354b6
commit e26c028
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 15 deletions.
diff --git a/src/riskmatrix/controls.py b/src/riskmatrix/controls.py
@@ -1,6 +1,9 @@
 from enum import Enum
+from markupsafe import Markup
 from wtforms.widgets import html_params
 
+from riskmatrix.i18n import translate
+
 
 from typing import ClassVar
 from typing import Literal
@@ -24,8 +27,8 @@ def __init__(self, name: str, style: IconStyle = IconStyle.regular):
         self.name = name
         self.style = style
 
-    def __call__(self) -> str:
-        return f'<i class="{self.style} fa-{self.name}"></i>'
+    def __call__(self) -> Markup:
+        return Markup('<i class="{} fa-{}"></i>').format(self.style, self.name)
 
     def __str__(self) -> str:
         return self.__call__()
@@ -126,37 +129,39 @@ def __init__(
             if name:
                 self.html_params['name'] = name
 
-    def __call__(self) -> str:
+    def __call__(self) -> Markup:
+        assert self.element in ('a', 'button')
         if self.disabled and self.description:
-            description = html_params(**{
-                'title': self.description,
+            desc_params = {
+                'title': translate(self.description),
                 'class': 'd-inline-block',
                 'tabindex': 0,
                 'data_bs_toggle': 'tooltip'
-            })
-            html = f'<span {description}>'
+            }
+            html = Markup(f'<span {html_params(**desc_params)}>')
         else:
-            html = ''
+            html = Markup('')
 
-        html += f'<{self.element} {html_params(**self.html_params)}>'
+        html += Markup(f'<{self.element} {html_params(**self.html_params)}>')
 
         if not self.disabled and self.description:
-            description = html_params(title=self.description)
-            html += f'<span {description} data-bs-toggle="tooltip">'
+            description = html_params(title=translate(self.description))
+            html += Markup(f'<span {description} data-bs-toggle="tooltip">')
 
         if self.icon:
             html += self.icon()
         if self.icon and self.title:
             html += ' '
-        html += f'{self.title}'
+
+        html += translate(self.title)
 
         if not self.disabled and self.description:
-            html += '</span>'
+            html += Markup('</span>')
 
-        html += f'</{self.element}>'
+        html += Markup(f'</{self.element}>')
 
         if self.disabled and self.description:
-            html += '</span>'
+            html += Markup('</span>')
 
         return html
 

diff --git a/tests/test_controls.py b/tests/test_controls.py
@@ -56,6 +56,12 @@ def test_button_title():
     button = Button(title='Edit')
     assert button() == '<button class="btn" type="button">Edit</button>'
 
+    # html injection
+    button = Button(title='<script>')
+    assert button() == (
+        '<button class="btn" type="button">&lt;script&gt;</button>'
+    )
+
 
 def test_button_description():
     button = Button(description='Edit')
@@ -65,6 +71,14 @@ def test_button_description():
         '</button>'
     )
 
+    # html injection
+    button = Button(description='<script>')
+    assert button() == (
+        '<button class="btn" type="button">'
+        '<span title="&lt;script&gt;" data-bs-toggle="tooltip"></span>'
+        '</button>'
+    )
+
 
 def test_button_url():
     button = Button(url='http://example.com')