Merge pull request #1794 from 18F/address-findings

API: do not echo user input
18F · Sep 16, 2024 · f4750d2 · f4750d2
2 parents a74d006 + e619d92
commit f4750d2
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 5 deletions.
diff --git a/tock/api/views.py b/tock/api/views.py
@@ -4,7 +4,6 @@
 from django.contrib.auth import get_user_model
 from django.db import connection
 from django.db.models import Count, F
-from django.utils.html import escape
 
 from rest_framework import serializers, generics
 from rest_framework.exceptions import ParseError
@@ -257,9 +256,7 @@ def date_from_iso_format(date_str):
         return datetime.date.fromisoformat(date_str)
     except ValueError:
         raise ParseError(
-            detail='Invalid date format. Got {}, expected ISO format (YYYY-MM-DD)'.format(
-                escape(date_str)
-            )
+            detail='Invalid date format. Expected ISO format (YYYY-MM-DD)'
         )
 
 def filter_timecards(queryset, params={}):

diff --git a/tock/hours/tests/test_views.py b/tock/hours/tests/test_views.py
@@ -919,7 +919,7 @@ def test_ReportingPeriodDetailView_escape_invalid_date_404(self):
             expect_errors=True
         )
         self.assertEqual(response.status_code, 400)
-        self.assertEqual(response.json['detail'], 'Invalid date format. Got &quot;&gt;&lt;fish&gt;, expected ISO format (YYYY-MM-DD)')
+        self.assertEqual(response.json['detail'], 'Invalid date format. Expected ISO format (YYYY-MM-DD)')
 
     def test_ReportingPeriodDetailView_add_submitted_time(self):
         """