simplify route and definition

scidsg · Nov 13, 2024 · 0a509b7 · 0a509b7
1 parent 7148aac
commit 0a509b7
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 9 deletions.
diff --git a/hushline/settings/__init__.py b/hushline/settings/__init__.py
@@ -826,9 +826,18 @@ async def alias(username_id: int) -> Response | str:
     def update_directory_intro_text() -> Response:
         form = UpdateDirectoryIntroTextForm()
         if form.validate_on_submit():
-            intro_text = sanitize_input(form.directory_intro_text.data)
-            OrganizationSetting.upsert(key=OrganizationSetting.DIRECTORY_INTRO, value=intro_text)
+            # Get the raw input from the form
+            raw_intro_text = form.directory_intro_text.data
+
+            # Sanitize the input using the simplified sanitize_input function
+            sanitized_intro_text = sanitize_input(raw_intro_text)
+
+            # Update or insert the organization setting with the sanitized text
+            OrganizationSetting.upsert(
+                key=OrganizationSetting.DIRECTORY_INTRO, value=sanitized_intro_text
+            )
             db.session.commit()
+
             flash("✅ Directory introduction text updated successfully.", "success")
         else:
             flash("❌ Failed to update introduction text. Please check your input.", "error")

diff --git a/tests/test_settings.py b/tests/test_settings.py
@@ -18,6 +18,7 @@
     User,
     Username,
 )
+from hushline.settings import sanitize_input
 
 
 @pytest.mark.usefixtures("_authenticated_user")
@@ -669,29 +670,26 @@ def test_update_brand_logo(client: FlaskClient, admin: User) -> None:
 
 
 def test_sanitize_input():
-    # Disallowed script tag should be removed
+    # Disallowed script tag should be removed, content remains
     input_text = 'Hello <script>alert("malicious")</script> World!'
     sanitized_text = sanitize_input(input_text)
     assert "<script>" not in sanitized_text
-    assert sanitized_text == "Hello  World!"
+    assert sanitized_text == 'Hello alert("malicious") World!'
 
     # Allowed tags should be retained
     input_text = (
         'Welcome <b>bold</b> and <i>italic</i> text with <a href="https://example.com">link</a>.'
     )
     sanitized_text = sanitize_input(input_text)
-    assert (
-        sanitized_text
-        == 'Welcome <b>bold</b> and <i>italic</i> text with <a href="https://example.com">link</a>.'
-    )
+    assert sanitized_text == input_text
 
     # Disallowed attributes should be stripped
     input_text = 'Click <a href="https://example.com" onclick="malicious()">here</a>'
     sanitized_text = sanitize_input(input_text)
     assert "onclick" not in sanitized_text
     assert sanitized_text == 'Click <a href="https://example.com">here</a>'
 
-    # Disallowed tags should be stripped
+    # Disallowed tags should be stripped, content kept
     input_text = "This is a <div>test</div>."
     sanitized_text = sanitize_input(input_text)
     assert sanitized_text == "This is a test."