Merge pull request #187 from syslabcom/scrum-2408-getVocabulary-2

getVocabulary: Do run scrub_html on individual items

Author: cillianderoiste

src/recensio/plone/browser/vocabulary.py

@@ -14,13 +14,20 @@
 from Products.CMFCore.utils import getToolByName
 from Products.MimetypesRegistry.MimeTypeItem import guess_icon_path
 from Products.MimetypesRegistry.MimeTypeItem import PREFIX
+from Products.PortalTransforms.transforms.safe_html import hasScript
 from Products.PortalTransforms.transforms.safe_html import SafeHTML
 from zope.i18n import translate
 
 import itertools
 
 
 class RecensioVocabularyView(VocabularyView):
+    def maybe_scrub(self, value):
+        if value and (hasScript(value) or "<" in value):
+            transform = SafeHTML()
+            return transform.scrub_html(value)
+        return value
+
     def __call__(self):  # noqa: C901
         """
         Accepts GET parameters of:
@@ -103,7 +110,6 @@ def __call__(self):  # noqa: C901
             attributes = attributes.split(",")
 
         translate_ignored = self.get_translated_ignored()
-        transform = SafeHTML()
         if attributes:
             base_path = self.get_base_path(context)
             sm = getSecurityManager()
@@ -154,15 +160,15 @@ def __call__(self):  # noqa: C901
         else:
             items = [
                 {
-                    "id": item.value,
-                    "text": (item.title if item.title else ""),
+                    "id": unescape(self.maybe_scrub(item.value)),
+                    "text": (
+                        unescape(self.maybe_scrub(item.title)) if item.title else ""
+                    ),
                 }
                 for item in results
             ]
 
         if total == 0:
             total = len(items)
 
-        return unescape(
-            transform.scrub_html(json_dumps({"results": items, "total": total}))
-        )
+        return json_dumps({"results": items, "total": total})