From a35fa105edb6736288880ea9d354ac8ddc11232e Mon Sep 17 00:00:00 2001
From: FinnStutzenstein <finn.stutzenstein@hotmail.de>
Date: Sat, 4 Jan 2020 16:52:04 +0100
Subject: [PATCH] Validate Config HTML

---
 openslides/core/config.py              |  4 ++++
 tests/integration/core/test_viewset.py | 12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/openslides/core/config.py b/openslides/core/config.py
index aa3a17276..cf913e84d 100644
--- a/openslides/core/config.py
+++ b/openslides/core/config.py
@@ -7,6 +7,7 @@ from django.core.exceptions import ValidationError as DjangoValidationError
 from mypy_extensions import TypedDict
 
 from ..utils.cache import element_cache
+from ..utils.validate import validate_html
 from .exceptions import ConfigError, ConfigNotFound
 from .models import ConfigStore
 
@@ -173,6 +174,9 @@ class ConfigHandler:
                     if not isinstance(entry[required_entry], str):
                         raise ConfigError(f"{required_entry} has to be a string.")
 
+        if config_variable.input_type == "markupText":
+            value = validate_html(value)
+
         # Save the new value to the database.
         db_value = ConfigStore.objects.get(key=key)
         db_value.value = value
diff --git a/tests/integration/core/test_viewset.py b/tests/integration/core/test_viewset.py
index 2dd73fccb..a8fe1d537 100644
--- a/tests/integration/core/test_viewset.py
+++ b/tests/integration/core/test_viewset.py
@@ -206,6 +206,8 @@ class ConfigViewSet(TestCase):
     """
     logo_config_key = "logo_web_header"
 
+    html_config_key = "general_event_welcome_text"
+
     def random_string(self):
         return "".join(
             random.choice(string.ascii_letters + string.digits) for i in range(20)
@@ -245,6 +247,16 @@ class ConfigViewSet(TestCase):
             config[self.string_config_key], "test_name_39gw4cishcvev2acoqnw"
         )
 
+    def test_validate_html(self):
+        response = self.client.put(
+            reverse("config-detail", args=[self.html_config_key]),
+            {"value": "<p><foo>bar</foo></p>"},
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(
+            config[self.html_config_key], "<p>&lt;foo&gt;bar&lt;/foo&gt;</p>"
+        )
+
     def test_set_none(self):
         """
         The agenda_start_event_date_time is of type "datepicker" which