Fix escaping for the showDialog function. Fixes #351. (#353)

Author: brianquinlan

dashboard/grid-template.html

@@ -146,8 +146,7 @@
                         {% set self_2_details = result.self_compatibility_check[1].details %}
                     {% endif %}
                 {% endif %}
-                <td class="{{ bgColorName }}" onclick="showDialog(
-                    '{{ cellName|safe }}', '{{ result.status_type|safe }}', '{{ self_1_status|safe }}', '{{ self_2_status|safe }}','{{ pairwise_status|safe }}', '{{ self_1_details|replace('\n', ' ')|safe}}', '{{ self_2_details|replace('\n', ' ')|safe}}', '{{ pairwise_details|replace('\n', ' ')|safe }}')">
+                <td class="{{ bgColorName }}" onclick="showDialog('{{ cellName|safe }}', '{{ result.status_type|safe }}', '{{ self_1_status|safe }}', '{{ self_2_status|safe }}','{{ pairwise_status|safe }}', '{{ self_1_details|replace('\\', '\\\\')|replace('\'', '\\\'')|replace('\n', ' ')}}', '{{ self_2_details|replace('\\', '\\\\')|replace('\'', '\\\'')|replace('\n', ' ')}}', '{{ pairwise_details|replace('\\', '\\\\')|replace('\'', '\\\'')|replace('\n', ' ') }}')">
                     <div id="{{ cellName }}" class="dialog" title="{{ row_package.friendly_name }} and {{ col_package.friendly_name }}">
                     </div>
                 </td>

dashboard/test_dashboard_builder.py

@@ -462,6 +462,38 @@ def test_self_failure(self):
             html_grid = builder.build_dashboard('dashboard/grid-template.html')
             self.assertIn("Installation failure", html_grid)
 
+    def test_escape(self):
+        """Test that the arguments to showDialog() are escaped."""
+        packages = [PACKAGE_1, PACKAGE_2]
+        store = fake_compatibility_store.CompatibilityStore()
+        store.save_compatibility_statuses([
+            compatibility_store.CompatibilityResult(
+                packages=[PACKAGE_1],
+                python_major_version=3,
+                status=compatibility_store.Status.INSTALL_ERROR,
+                details=r"This \ has a ' in it < >"
+            ),
+            compatibility_store.CompatibilityResult(
+                packages=[PACKAGE_2],
+                python_major_version=3,
+                status=compatibility_store.Status.SUCCESS
+            ),
+        ])
+
+        with self.patch_finder, self.patch_highlighter:
+            package_to_results = store.get_self_compatibilities(packages)
+            pairwise_to_results = store.get_compatibility_combinations(
+                packages)
+            results = dashboard_builder._ResultHolder(package_to_results,
+                                                      pairwise_to_results)
+            builder = dashboard_builder.DashboardBuilder(packages, results)
+            html_grid = builder.build_dashboard('dashboard/grid-template.html')
+            with open('/tmp/foo.html', 'w+') as f:
+                f.write(html_grid)
+
+            self.assertIn("This \\\\ has a \\&#39; in it &lt; &gt;", html_grid)
+
+
     def test_missing_pairwise(self):
         """CompatibilityResult not available for a pair of packages."""
         packages = [PACKAGE_1, PACKAGE_2]