From 256fc2cd4333f1bb41e132b98dfc33c511a2f6ca Mon Sep 17 00:00:00 2001
From: Manuel Reinhardt <reinhardt@syslab.com>
Date: Mon, 29 Jul 2024 07:09:52 +0200
Subject: [PATCH] getVocabulary: Do run scrub_html on individual items, but
 first check whether they might contain script or HTML.

Scrubbing the whole result is not equivalent and can break on tag-like
items like `<b>`.

Ref syslabcom/scrum#2408
---
 src/recensio/plone/browser/vocabulary.py | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/recensio/plone/browser/vocabulary.py b/src/recensio/plone/browser/vocabulary.py
index 07c98c7..f4ed695 100644
--- a/src/recensio/plone/browser/vocabulary.py
+++ b/src/recensio/plone/browser/vocabulary.py
@@ -14,6 +14,7 @@
 from Products.CMFCore.utils import getToolByName
 from Products.MimetypesRegistry.MimeTypeItem import guess_icon_path
 from Products.MimetypesRegistry.MimeTypeItem import PREFIX
+from Products.PortalTransforms.transforms.safe_html import hasScript
 from Products.PortalTransforms.transforms.safe_html import SafeHTML
 from zope.i18n import translate
 
@@ -21,6 +22,12 @@
 
 
 class RecensioVocabularyView(VocabularyView):
+    def maybe_scrub(self, value):
+        if value and (hasScript(value) or "<" in value):
+            transform = SafeHTML()
+            return transform.scrub_html(value)
+        return value
+
     def __call__(self):  # noqa: C901
         """
         Accepts GET parameters of:
@@ -103,7 +110,6 @@ def __call__(self):  # noqa: C901
             attributes = attributes.split(",")
 
         translate_ignored = self.get_translated_ignored()
-        transform = SafeHTML()
         if attributes:
             base_path = self.get_base_path(context)
             sm = getSecurityManager()
@@ -154,8 +160,10 @@ def __call__(self):  # noqa: C901
         else:
             items = [
                 {
-                    "id": item.value,
-                    "text": (item.title if item.title else ""),
+                    "id": unescape(self.maybe_scrub(item.value)),
+                    "text": (
+                        unescape(self.maybe_scrub(item.title)) if item.title else ""
+                    ),
                 }
                 for item in results
             ]
@@ -163,6 +171,4 @@ def __call__(self):  # noqa: C901
         if total == 0:
             total = len(items)
 
-        return unescape(
-            transform.scrub_html(json_dumps({"results": items, "total": total}))
-        )
+        return json_dumps({"results": items, "total": total})