diff --git a/vasl_templates/webapp/static/generate.js b/vasl_templates/webapp/static/generate.js
index 75266d2..81f3be6 100644
--- a/vasl_templates/webapp/static/generate.js
+++ b/vasl_templates/webapp/static/generate.js
@@ -126,7 +126,7 @@ function generate_snippet( $btn )
showErrorMsg( "Unknown template: " + escapeHTML(template_id) ) ;
return ;
}
- var func, val ;
+ var func ;
try {
func = jinja.compile( templ ).render ;
}
@@ -136,8 +136,14 @@ function generate_snippet( $btn )
}
// process the template
+ var val ;
try {
- val = func( params ) ;
+ // NOTE: While it's generally not a good idea to disable auto-escaping, the whole purpose
+ // of this application is to generate HTML snippets, and so virtually every single
+ // template parameter would have to be piped through the "safe" filter :-/ We never render
+ // any of the generated HTML, so any risk exists only when the user pastes the HTML snippet
+ // into a VASL scenario, which uses an ancient HTML engine (with probably no Javascript)...
+ val = func( params, {"autoEscape":false} ) ;
val = val.trim() ;
}
catch( ex ) {
diff --git a/vasl_templates/webapp/tests/test_generate.py b/vasl_templates/webapp/tests/test_generate.py
index e1b5d06..8d7731a 100644
--- a/vasl_templates/webapp/tests/test_generate.py
+++ b/vasl_templates/webapp/tests/test_generate.py
@@ -46,11 +46,11 @@ def test_scenario_snippets( webapp, webdriver ):
# generate a SCENARIO snippet
_test_snippet( webdriver, "scenario", {
- "SCENARIO_NAME": "my scenario",
- "SCENARIO_LOCATION": "here",
+ "SCENARIO_NAME": "my cool scenario",
+ "SCENARIO_LOCATION": "right here",
"SCENARIO_DATE": "01/02/1942",
},
- 'name = [my scenario] | loc = [here] | date = [01/02/1942] aka "2 January, 1942"',
+ 'name = [my cool scenario] | loc = [right here] | date = [01/02/1942] aka "2 January, 1942"',
None
)
@@ -95,9 +95,9 @@ def test_vc_snippets( webapp, webdriver ):
# generate a VC snippet
_test_snippet( webdriver, "victory_conditions", {
- "VICTORY_CONDITIONS": "Kill 'Em All!",
+ "VICTORY_CONDITIONS": "Kill 'Em All!",
},
- "VC: [Kill 'Em All!]",
+ "VC: [Kill 'Em All!]",
None
)
diff --git a/vasl_templates/webapp/tests/test_ob_setup.py b/vasl_templates/webapp/tests/test_ob_setup.py
index 3ce54b7..1cb38d3 100644
--- a/vasl_templates/webapp/tests/test_ob_setup.py
+++ b/vasl_templates/webapp/tests/test_ob_setup.py
@@ -18,18 +18,18 @@ def test_ob_setup( webapp, webdriver ):
select_tab( "ob1" )
textarea1 = find_child( "textarea[name='OB_SETUP_1']" )
textarea1.clear()
- textarea1.send_keys( "setup here." )
+ textarea1.send_keys( "setup here." )
btn1 = find_child( "input[type='button'][data-id='ob_setup_1']" )
select_tab( "ob2" )
textarea2 = find_child( "textarea[name='OB_SETUP_2']" )
textarea2.clear()
- textarea2.send_keys( "setup there." )
+ textarea2.send_keys( "setup there." )
btn2 = find_child( "input[type='button'][data-id='ob_setup_2']" )
btn2.click()
- assert get_clipboard() == "[setup there.] (col=[OBCOL:russian/OBCOL2:russian])"
+ assert get_clipboard() == "[setup there.] (col=[OBCOL:russian/OBCOL2:russian])"
select_tab( "ob1" )
btn1.click()
- assert get_clipboard() == "[setup here.] (col=[OBCOL:german/OBCOL2:german])"
+ assert get_clipboard() == "[setup here.] (col=[OBCOL:german/OBCOL2:german])"
# change the player nationalities and generate the OB SETUP snippets again
select_tab( "scenario" )
@@ -43,22 +43,22 @@ def test_ob_setup( webapp, webdriver ):
sel.select_by_value( "french" )
select_tab( "ob1" )
btn1.click()
- assert get_clipboard() == "[setup here.] (col=[OBCOL:british/OBCOL2:british])"
+ assert get_clipboard() == "[setup here.] (col=[OBCOL:british/OBCOL2:british])"
select_tab( "ob2" )
btn2.click()
- assert get_clipboard() == "[setup there.] (col=[OBCOL:french/OBCOL2:french])"
+ assert get_clipboard() == "[setup there.] (col=[OBCOL:french/OBCOL2:french])"
# set the snippet widths and generate the snippets again
select_tab( "ob1" )
elem = find_child( "input[name='OB_SETUP_WIDTH_1']" )
elem.send_keys( "100px" )
btn1.click()
- assert get_clipboard() == "[setup here.] (col=[OBCOL:british/OBCOL2:british]) (width=[100px])"
+ assert get_clipboard() == "[setup here.] (col=[OBCOL:british/OBCOL2:british]) (width=[100px])"
select_tab( "ob2" )
elem = find_child( "input[name='OB_SETUP_WIDTH_2']" )
elem.send_keys( "200px" )
btn2.click()
- assert get_clipboard() == "[setup there.] (col=[OBCOL:french/OBCOL2:french]) (width=[200px])"
+ assert get_clipboard() == "[setup there.] (col=[OBCOL:french/OBCOL2:french]) (width=[200px])"
# ---------------------------------------------------------------------