Merge pull request #5168 from FinnStutzenstein/validateHtml

Validate Config HTML

openslides/core/config.py

@@ -7,6 +7,7 @@ from django.core.exceptions import ValidationError as DjangoValidationError
 from mypy_extensions import TypedDict
 
 from ..utils.cache import element_cache
+from ..utils.validate import validate_html
 from .exceptions import ConfigError, ConfigNotFound
 from .models import ConfigStore
 
@@ -173,6 +174,9 @@ class ConfigHandler:
                     if not isinstance(entry[required_entry], str):
                         raise ConfigError(f"{required_entry} has to be a string.")
 
+        if config_variable.input_type == "markupText":
+            value = validate_html(value)
+
         # Save the new value to the database.
         db_value = ConfigStore.objects.get(key=key)
         db_value.value = value

tests/integration/core/test_viewset.py

@@ -206,6 +206,8 @@ class ConfigViewSet(TestCase):
     """
     logo_config_key = "logo_web_header"
 
+    html_config_key = "general_event_welcome_text"
+
     def random_string(self):
         return "".join(
             random.choice(string.ascii_letters + string.digits) for i in range(20)
@@ -245,6 +247,16 @@ class ConfigViewSet(TestCase):
             config[self.string_config_key], "test_name_39gw4cishcvev2acoqnw"
         )
 
+    def test_validate_html(self):
+        response = self.client.put(
+            reverse("config-detail", args=[self.html_config_key]),
+            {"value": "<p><foo>bar</foo></p>"},
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(
+            config[self.html_config_key], "<p>&lt;foo&gt;bar&lt;/foo&gt;</p>"
+        )
+
     def test_set_none(self):
         """
         The agenda_start_event_date_time is of type "datepicker" which