escape trainee notes in progress_description tag

carpentries · Nov 7, 2023 · dc1836a · dc1836a
1 parent c6a87a1
commit dc1836a
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 1 deletion.
diff --git a/amy/trainings/tests/test_training_progress.py b/amy/trainings/tests/test_training_progress.py
@@ -433,6 +433,50 @@ def test_notes(self):
             "Notes: Additional notes",
         )
 
+    def test_notes_with_quotes(self):
+        self._test(
+            progress=TrainingProgress(
+                state="p",
+                trainee=self.ironman,
+                created_at=datetime(2016, 5, 1, 16, 00),
+                requirement=TrainingRequirement(name="Welcome Session"),
+                notes='Additional "notes"',
+            ),
+            expected="Passed Welcome Session<br />"
+            "on Sunday 01 May 2016 at 16:00.<br />"
+            "Notes: Additional &quot;notes&quot;",
+        )
+
+    def test_trainee_notes(self):
+        self._test(
+            progress=TrainingProgress(
+                state="p",
+                trainee=self.ironman,
+                created_at=datetime(2016, 5, 1, 16, 00),
+                requirement=TrainingRequirement(name="Get Involved"),
+                involvement_type=Involvement(name="Other"),
+                trainee_notes="Additional notes from trainee",
+            ),
+            expected="Passed Get Involved<br />"
+            "Other: Additional notes from trainee<br />"
+            "on Sunday 01 May 2016 at 16:00.",
+        )
+
+    def test_trainee_notes_with_quotes(self):
+        self._test(
+            progress=TrainingProgress(
+                state="p",
+                trainee=self.ironman,
+                created_at=datetime(2016, 5, 1, 16, 00),
+                requirement=TrainingRequirement(name="Get Involved"),
+                involvement_type=Involvement(name="Other"),
+                trainee_notes='Additional "notes" from trainee',
+            ),
+            expected="Passed Get Involved<br />"
+            "Other: Additional &quot;notes&quot; from trainee<br />"
+            "on Sunday 01 May 2016 at 16:00.",
+        )
+
     def test_no_mentor_or_examiner_assigned(self):
         self._test(
             progress=TrainingProgress(

diff --git a/amy/workshops/templatetags/training_progress.py b/amy/workshops/templatetags/training_progress.py
@@ -33,7 +33,9 @@ def progress_description(progress: TrainingProgress):
         involvement = "<br />"
         involvement += progress.involvement_type.name
         if progress.involvement_type.name == "Other":
-            involvement += f": {progress.trainee_notes or 'No details provided'}"
+            involvement += (
+                f": {escape(progress.trainee_notes) or 'No details provided'}"
+            )
     else:
         involvement = ""