From 81f4b4e52cb126a7762207b4f9b694546f61177f Mon Sep 17 00:00:00 2001 From: James Tranovich Date: Thu, 12 Sep 2024 10:04:06 -0700 Subject: [PATCH 1/2] API: do not echo user input --- tock/api/views.py | 4 +--- tock/hours/tests/test_views.py | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/tock/api/views.py b/tock/api/views.py index d0de0c99..f106cecd 100644 --- a/tock/api/views.py +++ b/tock/api/views.py @@ -257,9 +257,7 @@ def date_from_iso_format(date_str): return datetime.date.fromisoformat(date_str) except ValueError: raise ParseError( - detail='Invalid date format. Got {}, expected ISO format (YYYY-MM-DD)'.format( - escape(date_str) - ) + detail='Invalid date format. Expected ISO format (YYYY-MM-DD)' ) def filter_timecards(queryset, params={}): diff --git a/tock/hours/tests/test_views.py b/tock/hours/tests/test_views.py index e63c945c..031d5945 100644 --- a/tock/hours/tests/test_views.py +++ b/tock/hours/tests/test_views.py @@ -919,7 +919,7 @@ def test_ReportingPeriodDetailView_escape_invalid_date_404(self): expect_errors=True ) self.assertEqual(response.status_code, 400) - self.assertEqual(response.json['detail'], 'Invalid date format. Got "><fish>, expected ISO format (YYYY-MM-DD)') + self.assertEqual(response.json['detail'], 'Invalid date format. Expected ISO format (YYYY-MM-DD)') def test_ReportingPeriodDetailView_add_submitted_time(self): """ From e619d92c4de93fb5e5c0ea5da6f0af2308bd1067 Mon Sep 17 00:00:00 2001 From: James Tranovich Date: Thu, 12 Sep 2024 12:32:03 -0700 Subject: [PATCH 2/2] removed spurious import --- tock/api/views.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tock/api/views.py b/tock/api/views.py index f106cecd..2a848a43 100644 --- a/tock/api/views.py +++ b/tock/api/views.py @@ -4,7 +4,6 @@ from django.contrib.auth import get_user_model from django.db import connection from django.db.models import Count, F -from django.utils.html import escape from rest_framework import serializers, generics from rest_framework.exceptions import ParseError