sanitize inputs of jinja so that output does not need to be

This commit is contained in:
vabene1111 2021-01-13 01:34:21 +01:00
parent e69d1c3408
commit 1bb412e007
2 changed files with 9 additions and 5 deletions

View File

@ -16,13 +16,13 @@ class IngredientObject(object):
if ingredient.no_amount:
self.amount = ""
else:
self.amount = f"<scalable-number v-bind:number='{ingredient.amount}' v-bind:factor='servings'></scalable-number>"
self.amount = f"<scalable-number v-bind:number='{bleach.clean(str(ingredient.amount))}' v-bind:factor='servings'></scalable-number>"
if ingredient.unit:
self.unit = ingredient.unit
self.unit = bleach.clean(str(ingredient.unit))
else:
self.unit = ""
self.food = ingredient.food
self.note = ingredient.note
self.food = bleach.clean(str(ingredient.food))
self.note = bleach.clean(str(ingredient.note))
def __str__(self):
ingredient = self.amount

View File

@ -159,6 +159,10 @@ class IngredientSerializer(WritableNestedModelSerializer):
class StepSerializer(WritableNestedModelSerializer):
ingredients = IngredientSerializer(many=True)
ingredients_markdown = serializers.SerializerMethodField('get_ingredients_markdown')
ingredients_vue = serializers.SerializerMethodField('get_ingredients_vue')
def get_ingredients_vue(self, obj):
return obj.get_instruction_render()
def get_ingredients_markdown(self, obj):
return obj.get_instruction_render()
@ -167,7 +171,7 @@ class StepSerializer(WritableNestedModelSerializer):
model = Step
fields = (
'id', 'name', 'type', 'instruction', 'ingredients', 'ingredients_markdown',
'time', 'order', 'show_as_header'
'ingredients_vue', 'time', 'order', 'show_as_header'
)