sanitize inputs of jinja so that output does not need to be

2021-01-13 01:34:21 +01:00 · 2021-01-13 01:34:21 +01:00 · 1bb412e007
commit 1bb412e007
parent e69d1c3408
2 changed files with 9 additions and 5 deletions
--- a/cookbook/helper/template_helper.py
+++ b/cookbook/helper/template_helper.py
@ -16,13 +16,13 @@ class IngredientObject(object):
        if ingredient.no_amount:
            self.amount = ""
        else:
-            self.amount = f"<scalable-number v-bind:number='{ingredient.amount}' v-bind:factor='servings'></scalable-number>"
+            self.amount = f"<scalable-number v-bind:number='{bleach.clean(str(ingredient.amount))}' v-bind:factor='servings'></scalable-number>"
        if ingredient.unit:
-            self.unit = ingredient.unit
+            self.unit = bleach.clean(str(ingredient.unit))
        else:
            self.unit = ""
-        self.food = ingredient.food
-        self.note = ingredient.note
+        self.food = bleach.clean(str(ingredient.food))
+        self.note = bleach.clean(str(ingredient.note))

    def __str__(self):
        ingredient = self.amount
--- a/cookbook/serializer.py
+++ b/cookbook/serializer.py
@ -159,6 +159,10 @@ class IngredientSerializer(WritableNestedModelSerializer):
 class StepSerializer(WritableNestedModelSerializer):
    ingredients = IngredientSerializer(many=True)
    ingredients_markdown = serializers.SerializerMethodField('get_ingredients_markdown')
+    ingredients_vue = serializers.SerializerMethodField('get_ingredients_vue')
+
+    def get_ingredients_vue(self, obj):
+        return obj.get_instruction_render()

    def get_ingredients_markdown(self, obj):
        return obj.get_instruction_render()
@ -167,7 +171,7 @@ class StepSerializer(WritableNestedModelSerializer):
        model = Step
        fields = (
            'id', 'name', 'type', 'instruction', 'ingredients', 'ingredients_markdown',
-            'time', 'order', 'show_as_header'
+            'ingredients_vue', 'time', 'order', 'show_as_header'
        )