search

plone / plone.app.content

Various views for Plone, such as folder_contents, as well as general content infrastructure, such as base classes and name choosers.
https://pypi.org/project/plone.app.content/
7 stars 32 forks source link

Wrong handling of special characters in @@getVocabulary #244

Closed frapell closed 2 years ago

frapell commented 2 years ago

This is noticeable when using special characters in titles and seeing them in folder_contents image

Here's the JSON returned by the @@getVocabulary call

{"results": [{"Title": "News", "path": "/news", "getURL": "http://localhost:8080/Plone/news", "getIcon": null, "getMimeIcon": "/Plone/++resource++mimetype.icons/txt.png", "portal_type": "Folder", "CreationDate": "2022-04-29T11:12:47-03:00", "Creator": "admin", "Description": "Site News", "EffectiveDate": "None", "ExpirationDate": "None", "ModificationDate": "2022-04-29T11:12:47-03:00", "Subject": [], "Type": "Folder", "UID": "72ecd0f5d13843f1854d2607ca092658", "exclude_from_nav": false, "getObjSize": "0 KB", "id": "news", "is_folderish": true, "review_state": "published", "mime_type": "text/plain", "total_comments": 0, "last_comment_date": null}, {"Title": "Events", "path": "/events", "getURL": "http://localhost:8080/Plone/events", "getIcon": null, "getMimeIcon": "/Plone/++resource++mimetype.icons/txt.png", "portal_type": "Folder", "CreationDate": "2022-04-29T11:12:47-03:00", "Creator": "admin", "Description": "Site Events", "EffectiveDate": "None", "ExpirationDate": "None", "ModificationDate": "2022-04-29T11:12:47-03:00", "Subject": [], "Type": "Folder", "UID": "51dc3ef2bd074fc5a0d512a911d8b8c1", "exclude_from_nav": false, "getObjSize": "0 KB", "id": "events", "is_folderish": true, "review_state": "published", "mime_type": "text/plain", "total_comments": 0, "last_comment_date": null}, {"Title": "Users", "path": "/Members", "getURL": "http://localhost:8080/Plone/Members", "getIcon": null, "getMimeIcon": "/Plone/++resource++mimetype.icons/txt.png", "portal_type": "Folder", "CreationDate": "2022-04-29T11:12:47-03:00", "Creator": "admin", "Description": "Site Users", "EffectiveDate": "None", "ExpirationDate": "None", "ModificationDate": "2022-04-29T11:12:47-03:00", "Subject": [], "Type": "Folder", "UID": "bce8da30aef545aaa902ace3105b30ef", "exclude_from_nav": false, "getObjSize": "0 KB", "id": "Members", "is_folderish": true, "review_state": "private", "mime_type": "text/plain", "total_comments": 0, "last_comment_date": null}, {"Title": "Special @$ \"Characters\"  Title &amp; More", "path": "/special-characters-in-title-more", "getURL": "http://localhost:8080/Plone/special-characters-in-title-more", "getIcon": null, "getMimeIcon": "/Plone/++resource++mimetype.icons/txt.png", "portal_type": "Document", "CreationDate": "2022-04-29T11:13:36-03:00", "Creator": "admin", "Description": "Tests", "EffectiveDate": "2022-04-29T11:13:00-03:00", "ExpirationDate": "None", "ModificationDate": "2022-04-29T11:17:02-03:00", "Subject": [], "Type": "Page", "UID": "774bc825b3c249ba9ad4948dadfeae7d", "exclude_from_nav": false, "getObjSize": "0 KB", "id": "special-characters-in-title-more", "is_folderish": false, "review_state": "published", "mime_type": "text/plain", "total_comments": 0, "last_comment_date": null}, {"Title": "", "path": "/input", "getURL": "http://localhost:8080/Plone/input", "getIcon": null, "getMimeIcon": "/Plone/++resource++mimetype.icons/txt.png", "portal_type": "Document", "CreationDate": "2022-04-29T11:13:53-03:00", "Creator": "admin", "Description": "", "EffectiveDate": "2022-04-29T11:14:03-03:00", "ExpirationDate": "None", "ModificationDate": "2022-04-29T11:14:03-03:00", "Subject": [], "Type": "Page", "UID": "417679eb2a9c472c8afec1deb22adc70", "exclude_from_nav": false, "getObjSize": "0 KB", "id": "input", "is_folderish": false, "review_state": "published", "mime_type": "text/plain", "total_comments": 0, "last_comment_date": null}, {"Title": "<span>Title<p></p></span>", "path": "/span-title-p", "getURL": "http://localhost:8080/Plone/span-title-p", "getIcon": null, "getMimeIcon": "/Plone/++resource++mimetype.icons/txt.png", "portal_type": "Folder", "CreationDate": "2022-04-29T11:15:02-03:00", "Creator": "admin", "Description": "", "EffectiveDate": "2022-04-29T11:15:06-03:00", "ExpirationDate": "None", "ModificationDate": "2022-04-29T11:15:06-03:00", "Subject": [], "Type": "Folder", "UID": "47c3df8e362e4822b2945a55bd85a504", "exclude_from_nav": false, "getObjSize": "0 KB", "id": "span-title-p", "is_folderish": true, "review_state": "published", "mime_type": "text/plain", "total_comments": 0, "last_comment_date": null}, {"Title": "My \"Page\"", "path": "/my-page", "getURL": "http://localhost:8080/Plone/my-page", "getIcon": null, "getMimeIcon": "/Plone/++resource++mimetype.icons/txt.png", "portal_type": "Document", "CreationDate": "2022-04-29T11:17:15-03:00", "Creator": "admin", "Description": "", "EffectiveDate": "2022-04-29T11:17:17-03:00", "ExpirationDate": "None", "ModificationDate": "2022-04-29T11:17:17-03:00", "Subject": [], "Type": "Page", "UID": "1960e390ec98472190ff2f71976a561e", "exclude_from_nav": false, "getObjSize": "0 KB", "id": "my-page", "is_folderish": false, "review_state": "published", "mime_type": "text/plain", "total_comments": 0, "last_comment_date": null}], "total": 7}

It can be seen for instance that the /input item, which has a title of <input> is returned with an empty title. Also the /span-title-p element, is returned with a title of <span>Title<p></p></span> when in fact its title is <span>Title<p>

This is happening in this line https://github.com/plone/plone.app.content/blob/60c7c3798b37a3473978187f6506420ca658a495/plone/app/content/browser/vocabulary.py#L241

I believe the proper fix would be to escape special characters, instead of using the scrub_html method.

wesleybl commented 2 years ago

@frapell see: https://github.com/plone/Products.CMFPlone/issues/3429

frapell commented 2 years ago

@wesleybl Cool, thanks!