From 81776af7231412bddfc3bcf18f4b5c1f1b837b37 Mon Sep 17 00:00:00 2001
From: Taka <taka@vm-linux-dev>
Date: Mon, 16 Jul 2018 09:08:57 +0000
Subject: [PATCH] Allow HTML to be included in the generates snippets.

---
 vasl_templates/webapp/static/generate.js     | 10 ++++++++--
 vasl_templates/webapp/tests/test_generate.py | 10 +++++-----
 vasl_templates/webapp/tests/test_ob_setup.py | 16 ++++++++--------
 3 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/vasl_templates/webapp/static/generate.js b/vasl_templates/webapp/static/generate.js
index 75266d2..81f3be6 100644
--- a/vasl_templates/webapp/static/generate.js
+++ b/vasl_templates/webapp/static/generate.js
@@ -126,7 +126,7 @@ function generate_snippet( $btn )
         showErrorMsg( "Unknown template: " + escapeHTML(template_id) ) ;
         return ;
     }
-    var func, val ;
+    var func ;
     try {
         func = jinja.compile( templ ).render ;
     }
@@ -136,8 +136,14 @@ function generate_snippet( $btn )
     }
 
     // process the template
+    var val ;
     try {
-        val = func( params ) ;
+        // NOTE: While it's generally not a good idea to disable auto-escaping, the whole purpose
+        // of this application is to generate HTML snippets, and so virtually every single
+        // template parameter would have to be piped through the "safe" filter :-/ We never render
+        // any of the generated HTML, so any risk exists only when the user pastes the HTML snippet
+        // into a VASL scenario, which uses an ancient HTML engine (with probably no Javascript)...
+        val = func( params, {"autoEscape":false} ) ;
         val = val.trim() ;
     }
     catch( ex ) {
diff --git a/vasl_templates/webapp/tests/test_generate.py b/vasl_templates/webapp/tests/test_generate.py
index e1b5d06..8d7731a 100644
--- a/vasl_templates/webapp/tests/test_generate.py
+++ b/vasl_templates/webapp/tests/test_generate.py
@@ -46,11 +46,11 @@ def test_scenario_snippets( webapp, webdriver ):
 
     # generate a SCENARIO snippet
     _test_snippet( webdriver, "scenario", {
-        "SCENARIO_NAME": "my scenario",
-        "SCENARIO_LOCATION": "here",
+        "SCENARIO_NAME": "my <i>cool</i> scenario",
+        "SCENARIO_LOCATION": "right <u>here</u>",
         "SCENARIO_DATE": "01/02/1942",
     },
-        'name = [my scenario] | loc = [here] | date = [01/02/1942] aka "2 January, 1942"',
+        'name = [my <i>cool</i> scenario] | loc = [right <u>here</u>] | date = [01/02/1942] aka "2 January, 1942"',
         None
     )
 
@@ -95,9 +95,9 @@ def test_vc_snippets( webapp, webdriver ):
 
     # generate a VC snippet
     _test_snippet( webdriver, "victory_conditions", {
-        "VICTORY_CONDITIONS": "Kill 'Em All!",
+        "VICTORY_CONDITIONS": "Kill 'Em <i>All</i>!",
     },
-        "VC: [Kill 'Em All!]",
+        "VC: [Kill 'Em <i>All</i>!]",
         None
     )
 
diff --git a/vasl_templates/webapp/tests/test_ob_setup.py b/vasl_templates/webapp/tests/test_ob_setup.py
index 3ce54b7..1cb38d3 100644
--- a/vasl_templates/webapp/tests/test_ob_setup.py
+++ b/vasl_templates/webapp/tests/test_ob_setup.py
@@ -18,18 +18,18 @@ def test_ob_setup( webapp, webdriver ):
     select_tab( "ob1" )
     textarea1 = find_child( "textarea[name='OB_SETUP_1']" )
     textarea1.clear()
-    textarea1.send_keys( "setup here." )
+    textarea1.send_keys( "setup <i>here</i>." )
     btn1 = find_child( "input[type='button'][data-id='ob_setup_1']" )
     select_tab( "ob2" )
     textarea2 = find_child( "textarea[name='OB_SETUP_2']" )
     textarea2.clear()
-    textarea2.send_keys( "setup there." )
+    textarea2.send_keys( "setup <b>there</b>." )
     btn2 = find_child( "input[type='button'][data-id='ob_setup_2']" )
     btn2.click()
-    assert get_clipboard() == "[setup there.] (col=[OBCOL:russian/OBCOL2:russian])"
+    assert get_clipboard() == "[setup <b>there</b>.] (col=[OBCOL:russian/OBCOL2:russian])"
     select_tab( "ob1" )
     btn1.click()
-    assert get_clipboard() == "[setup here.] (col=[OBCOL:german/OBCOL2:german])"
+    assert get_clipboard() == "[setup <i>here</i>.] (col=[OBCOL:german/OBCOL2:german])"
 
     # change the player nationalities and generate the OB SETUP snippets again
     select_tab( "scenario" )
@@ -43,22 +43,22 @@ def test_ob_setup( webapp, webdriver ):
     sel.select_by_value( "french" )
     select_tab( "ob1" )
     btn1.click()
-    assert get_clipboard() == "[setup here.] (col=[OBCOL:british/OBCOL2:british])"
+    assert get_clipboard() == "[setup <i>here</i>.] (col=[OBCOL:british/OBCOL2:british])"
     select_tab( "ob2" )
     btn2.click()
-    assert get_clipboard() == "[setup there.] (col=[OBCOL:french/OBCOL2:french])"
+    assert get_clipboard() == "[setup <b>there</b>.] (col=[OBCOL:french/OBCOL2:french])"
 
     # set the snippet widths and generate the snippets again
     select_tab( "ob1" )
     elem = find_child( "input[name='OB_SETUP_WIDTH_1']" )
     elem.send_keys( "100px" )
     btn1.click()
-    assert get_clipboard() == "[setup here.] (col=[OBCOL:british/OBCOL2:british]) (width=[100px])"
+    assert get_clipboard() == "[setup <i>here</i>.] (col=[OBCOL:british/OBCOL2:british]) (width=[100px])"
     select_tab( "ob2" )
     elem = find_child( "input[name='OB_SETUP_WIDTH_2']" )
     elem.send_keys( "200px" )
     btn2.click()
-    assert get_clipboard() == "[setup there.] (col=[OBCOL:french/OBCOL2:french]) (width=[200px])"
+    assert get_clipboard() == "[setup <b>there</b>.] (col=[OBCOL:french/OBCOL2:french]) (width=[200px])"
 
 # ---------------------------------------------------------------------