diff --git a/newsroom/notifications/notifications.py b/newsroom/notifications/notifications.py index f2917096..ced7d48b 100644 --- a/newsroom/notifications/notifications.py +++ b/newsroom/notifications/notifications.py @@ -10,6 +10,10 @@ from superdesk.utc import utcnow from flask import current_app as app, session +# The set of fields we need to return to satisfy the notifications +ITEM_FIELDS = ('_id', 'type', 'headline', 'versioncreated') +AGENDA_FIELDS = ('_id', 'type', 'name', 'versioncreated') + class NotificationsResource(newsroom.Resource): url = 'users//notifications' @@ -72,14 +76,25 @@ def get_initial_notifications(): items = [] try: items.extend(superdesk.get_resource_service('wire_search').get_items(item_ids)) - for item in items: - item["body_html"] = escape(item["body_html"]) except KeyError: # wire disabled pass try: items.extend(superdesk.get_resource_service('agenda').get_items(item_ids)) except KeyError: # agenda disabled pass + + for item in items: + fields = AGENDA_FIELDS if item.get('type') == 'agenda' else ITEM_FIELDS + keys_to_remove = set(item.keys()) - set(fields) + + for key in keys_to_remove: + item.pop(key, None) + + # escape any strings to be sure + for key, value in item.items(): + if isinstance(value, str): + item[key] = escape(value) + return { 'user': str(session['user']) if session['user'] else None, 'notifications': list(items), diff --git a/newsroom/wire/views.py b/newsroom/wire/views.py index 32801e3d..5b93c031 100644 --- a/newsroom/wire/views.py +++ b/newsroom/wire/views.py @@ -89,6 +89,14 @@ def get_view_data(): } +def escape_strings(obj): + for k, v in obj.items(): + if isinstance(v, dict): + escape_strings(v) + elif isinstance(v, str): + obj[k] = escape(v) + + def get_items_by_card(cards): if app.cache.get(HOME_ITEMS_CACHE_KEY): return app.cache.get(HOME_ITEMS_CACHE_KEY) @@ -100,7 +108,7 @@ def get_items_by_card(cards): get_product_items(ObjectId(card['config']['product']), card['config']['size']) if items: for item in items: - item["body_html"] = escape(item["body_html"]) + escape_strings(item) items_by_card[card['label']] = items elif card['type'] == '4-photo-gallery': # Omit external media, let the client manually request these