From 3506ad53fb925db220f5f5b7d29837c4cc4e65e2 Mon Sep 17 00:00:00 2001
From: Kevin Carrogan <kevin@carrogan.com>
Date: Thu, 19 Dec 2024 11:53:10 +0000
Subject: [PATCH] Switch govuk link button to an inclusion tag

This is to ensure that any potential HTML tags are sanitised correctly through using Django's template engine
---
 lite_forms/templates/govuk-link-button.html |  8 +++++
 lite_forms/templatetags/custom_tags.py      | 35 ++++++++++-----------
 2 files changed, 24 insertions(+), 19 deletions(-)
 create mode 100644 lite_forms/templates/govuk-link-button.html

diff --git a/lite_forms/templates/govuk-link-button.html b/lite_forms/templates/govuk-link-button.html
new file mode 100644
index 0000000000..400a4c017a
--- /dev/null
+++ b/lite_forms/templates/govuk-link-button.html
@@ -0,0 +1,8 @@
+<a {% if id %}id="button-{{ id }}" {% endif %}href="{{ url }}{{ query_params }}" role="button" draggable="false" class="govuk-button {{ classes }}" data-module="govuk-button"{% if hidden %} style="display: none;"{% endif %}>
+    {% lcs text %}
+    {% if show_chevron %}
+        <svg class="govuk-button__start-icon" xmlns="http://www.w3.org/2000/svg" width="13" height="15" viewBox="0 0 33 43" aria-hidden="true" focusable="false">
+            <path fill="currentColor" d="M0 0h13l20 20-20 20H0l20-20z" />
+        </svg>
+    {% endif %}
+</a>
diff --git a/lite_forms/templatetags/custom_tags.py b/lite_forms/templatetags/custom_tags.py
index 97857f37d8..0276747954 100644
--- a/lite_forms/templatetags/custom_tags.py
+++ b/lite_forms/templatetags/custom_tags.py
@@ -6,7 +6,6 @@
 from django.urls import reverse
 from django.utils.safestring import mark_safe
 
-from core.builtins.custom_tags import get_const_string
 from lite_forms.helpers import flatten_data
 
 
@@ -199,27 +198,25 @@ def item_with_rating_exists(items, rating):
                 return True
 
 
-@register.simple_tag
-@mark_safe  # noqa: S308
+@register.inclusion_tag("govuk-link-button.html")
 def govuk_link_button(text, url, url_param=None, id="", classes="", query_params="", show_chevron=False, hidden=False):
-    text = get_const_string(text)
+    if not url_param:
+        url_param = []
+
     if isinstance(url_param, str):
         url_param = [url_param]
-    url = reverse(url, args=url_param if url_param else [])
-    id = f'id="button-{id}"' if id else ""
-    chevron = ""
-    if show_chevron:
-        chevron = (
-            '<svg class="govuk-button__start-icon" xmlns="http://www.w3.org/2000/svg" width="13" height="15" '
-            'viewBox="0 0 33 43" aria-hidden="true" focusable="false">'
-            '<path fill="currentColor" d="M0 0h13l20 20-20 20H0l20-20z" /></svg>'
-        )
-    hidden = 'style="display: none;"' if hidden else ""
-
-    return (
-        f'<a {id} href="{url}{query_params}" role="button" draggable="false" class="govuk-button {classes}" {hidden} '
-        f'data-module="govuk-button">{text}{chevron}</a>'
-    )
+
+    url = reverse(url, args=url_param)
+
+    return {
+        "text": text,
+        "url": url,
+        "id": id,
+        "classes": classes,
+        "show_chevron": show_chevron,
+        "hidden": hidden,
+        "query_params": query_params,
+    }
 
 
 @register.filter()