From 3506ad53fb925db220f5f5b7d29837c4cc4e65e2 Mon Sep 17 00:00:00 2001 From: Kevin Carrogan <kevin@carrogan.com> Date: Thu, 19 Dec 2024 11:53:10 +0000 Subject: [PATCH] Switch govuk link button to an inclusion tag This is to ensure that any potential HTML tags are sanitised correctly through using Django's template engine --- lite_forms/templates/govuk-link-button.html | 8 +++++ lite_forms/templatetags/custom_tags.py | 35 ++++++++++----------- 2 files changed, 24 insertions(+), 19 deletions(-) create mode 100644 lite_forms/templates/govuk-link-button.html diff --git a/lite_forms/templates/govuk-link-button.html b/lite_forms/templates/govuk-link-button.html new file mode 100644 index 0000000000..400a4c017a --- /dev/null +++ b/lite_forms/templates/govuk-link-button.html @@ -0,0 +1,8 @@ +<a {% if id %}id="button-{{ id }}" {% endif %}href="{{ url }}{{ query_params }}" role="button" draggable="false" class="govuk-button {{ classes }}" data-module="govuk-button"{% if hidden %} style="display: none;"{% endif %}> + {% lcs text %} + {% if show_chevron %} + <svg class="govuk-button__start-icon" xmlns="http://www.w3.org/2000/svg" width="13" height="15" viewBox="0 0 33 43" aria-hidden="true" focusable="false"> + <path fill="currentColor" d="M0 0h13l20 20-20 20H0l20-20z" /> + </svg> + {% endif %} +</a> diff --git a/lite_forms/templatetags/custom_tags.py b/lite_forms/templatetags/custom_tags.py index 97857f37d8..0276747954 100644 --- a/lite_forms/templatetags/custom_tags.py +++ b/lite_forms/templatetags/custom_tags.py @@ -6,7 +6,6 @@ from django.urls import reverse from django.utils.safestring import mark_safe -from core.builtins.custom_tags import get_const_string from lite_forms.helpers import flatten_data @@ -199,27 +198,25 @@ def item_with_rating_exists(items, rating): return True -@register.simple_tag -@mark_safe # noqa: S308 +@register.inclusion_tag("govuk-link-button.html") def govuk_link_button(text, url, url_param=None, id="", classes="", query_params="", show_chevron=False, hidden=False): - text = get_const_string(text) + if not url_param: + url_param = [] + if isinstance(url_param, str): url_param = [url_param] - url = reverse(url, args=url_param if url_param else []) - id = f'id="button-{id}"' if id else "" - chevron = "" - if show_chevron: - chevron = ( - '<svg class="govuk-button__start-icon" xmlns="http://www.w3.org/2000/svg" width="13" height="15" ' - 'viewBox="0 0 33 43" aria-hidden="true" focusable="false">' - '<path fill="currentColor" d="M0 0h13l20 20-20 20H0l20-20z" /></svg>' - ) - hidden = 'style="display: none;"' if hidden else "" - - return ( - f'<a {id} href="{url}{query_params}" role="button" draggable="false" class="govuk-button {classes}" {hidden} ' - f'data-module="govuk-button">{text}{chevron}</a>' - ) + + url = reverse(url, args=url_param) + + return { + "text": text, + "url": url, + "id": id, + "classes": classes, + "show_chevron": show_chevron, + "hidden": hidden, + "query_params": query_params, + } @register.filter()