avoid use of |safe filter in templates

Explicitly mark those few places where we need to pass in data that should not be escaped on the Python side.
beancount · Jul 3, 2022 · ca9e388 · ca9e388
1 parent c9f3ee8
commit ca9e388
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 18 deletions.
diff --git a/src/fava/application.py b/src/fava/application.py
@@ -35,6 +35,7 @@
 from flask.wrappers import Response
 from flask_babel import Babel  # type: ignore
 from flask_babel import get_translations
+from markupsafe import Markup
 from werkzeug.utils import secure_filename
 
 from fava import __version__ as fava_version
@@ -384,10 +385,12 @@ def help_page(page_slug: str) -> str:
         "_layout.html",
         active_page="help",
         page_slug=page_slug,
-        help_html=render_template_string(
-            html,
-            beancount_version=beancount_version,
-            fava_version=fava_version,
+        help_html=Markup(
+            render_template_string(
+                html,
+                beancount_version=beancount_version,
+                fava_version=fava_version,
+            )
         ),
         HELP_PAGES=HELP_PAGES,
     )

diff --git a/src/fava/core/file.py b/src/fava/core/file.py
@@ -22,6 +22,7 @@
 from beancount.core.flags import FLAG_SUMMARIZE
 from beancount.core.flags import FLAG_TRANSFER
 from beancount.parser.printer import format_entry  # type: ignore
+from markupsafe import Markup
 
 from fava.core._compat import FLAG_RETURNS
 from fava.core._compat import FLAG_UNREALIZED
@@ -176,7 +177,9 @@ def insert_entries(self, entries: Entries) -> None:
                 )
                 self.ledger.extensions.after_insert_entry(entry)
 
-    def render_entries(self, entries: Entries) -> Generator[str, None, None]:
+    def render_entries(
+        self, entries: Entries
+    ) -> Generator[Markup, None, None]:
         """Return entries in Beancount format.
 
         Only renders :class:`.Balance` and :class:`.Transaction`.
@@ -193,12 +196,14 @@ def render_entries(self, entries: Entries) -> Generator[str, None, None]:
                 if isinstance(entry, Transaction) and entry.flag in EXCL_FLAGS:
                     continue
                 try:
-                    yield get_entry_slice(entry)[0] + "\n"
+                    yield Markup(get_entry_slice(entry)[0] + "\n")
                 except (KeyError, FileNotFoundError):
-                    yield _format_entry(
-                        entry,
-                        self.ledger.fava_options.currency_column,
-                        indent,
+                    yield Markup(
+                        _format_entry(
+                            entry,
+                            self.ledger.fava_options.currency_column,
+                            indent,
+                        )
                     )
 
 

diff --git a/src/fava/template_filters.py b/src/fava/template_filters.py
@@ -12,14 +12,15 @@
 from typing import MutableMapping
 from typing import TypeVar
 
-import flask
 from beancount.core import compare
 from beancount.core import realization
 from beancount.core.account import ACCOUNT_RE
 from beancount.core.data import Directive
 from beancount.core.inventory import Inventory
 from beancount.core.number import Decimal
 from beancount.core.number import ZERO
+from flask import url_for
+from markupsafe import Markup
 
 from fava.context import g
 from fava.core.conversion import cost
@@ -145,14 +146,14 @@ def basename(file_path: str) -> str:
     return unicodedata.normalize("NFC", os.path.basename(file_path))
 
 
-def format_errormsg(message: str) -> str:
+def format_errormsg(message: str) -> Markup:
     """Match account names in error messages and insert HTML links for them."""
     match = re.search(ACCOUNT_RE, message)
     if not match:
-        return message
+        return Markup(message)
     account = match.group()
-    url = flask.url_for("account", name=account)
-    return (
+    url = url_for("account", name=account)
+    return Markup(
         message.replace(account, f'<a href="{url}">{account}</a>')
         .replace("for '", "for ")
         .replace("': ", ": ")

diff --git a/src/fava/templates/_layout.html b/src/fava/templates/_layout.html
@@ -43,7 +43,7 @@ <h1>
       <svelte-component type="charts"></svelte-component>
       {% block content %}
       {% if content %}
-      {{ content|safe }}
+      {{ content }}
       {% else %}
       {% include active_page + '.html' %}
       {% endif %}

diff --git a/src/fava/templates/errors.html b/src/fava/templates/errors.html
@@ -13,7 +13,7 @@
       {% with link=url_for_source(file_path=error.source['filename'], line=error.source['lineno']) %}
       <td><a class="source" href="{{ link }}" title="{{ _('Show source %(file)s:%(lineno)s', file=error.source['filename'], lineno=error.source['lineno']) }}">{{ error.source['filename'] }}</a></td>
       <td class="num"><a class="source" href="{{ link }}" title="{{ _('Show source %(file)s:%(lineno)s', file=error.source['filename'], lineno=error.source['lineno']) }}">{{ error.source['lineno'] }}</a></td>
-      <td class="pre">{{ error.message|format_errormsg|safe }}</td>
+      <td class="pre">{{ error.message|format_errormsg }}</td>
       {% endwith %}
     </tr>
     {% endfor %}

diff --git a/src/fava/templates/help.html b/src/fava/templates/help.html
@@ -12,6 +12,6 @@ <h3>{{ _('Help pages') }}</h3>
     </ul>
   </div>
   <div class="help-text">
-    {{ help_html|safe }}
+    {{ help_html }}
   </div>
 </div>