Escape texts in exported HTML (#429)

bookmarks/services/exporter.py

@@ -1,3 +1,4 @@
+import html
 from typing import List
 
 from bookmarks.models import Bookmark
@@ -28,8 +29,8 @@ def append_list_start(doc: BookmarkDocument):
 
 def append_bookmark(doc: BookmarkDocument, bookmark: Bookmark):
     url = bookmark.url
-    title = bookmark.resolved_title
+    title = html.escape(bookmark.resolved_title or '')
-    desc = bookmark.resolved_description
+    desc = html.escape(bookmark.resolved_description or '')
     tags = ','.join(bookmark.tag_names)
     toread = '1' if bookmark.unread else '0'
     added = int(bookmark.date_added.timestamp())

bookmarks/tests/test_exporter.py

@@ -0,0 +1,28 @@
+from django.test import TestCase
+
+from bookmarks.services import exporter
+from bookmarks.tests.helpers import BookmarkFactoryMixin
+
+
+class ExporterTestCase(TestCase, BookmarkFactoryMixin):
+    def test_escape_html_in_title_and_description(self):
+        bookmark = self.setup_bookmark(
+            title='<style>: The Style Information element',
+            description='The <style> HTML element contains style information for a document, or part of a document.'
+        )
+        html = exporter.export_netscape_html([bookmark])
+
+        self.assertIn('&lt;style&gt;: The Style Information element', html)
+        self.assertIn(
+            'The &lt;style&gt; HTML element contains style information for a document, or part of a document.',
+            html
+        )
+
+    def test_handle_empty_values(self):
+        bookmark = self.setup_bookmark()
+        bookmark.title = ''
+        bookmark.description = ''
+        bookmark.website_title = None
+        bookmark.website_description = None
+        bookmark.save()
+        exporter.export_netscape_html([bookmark])