Move custom Nunjucks safe handling to filters

Author: colinrotherham

app/filters/nunjucks.js

@@ -1,10 +1,15 @@
 // app/filters/nunjucks.js
 
+const { safe: nunjucksSafe } = require('nunjucks/src/filters')
+
 const log = (a, description = null) => {
   if (description) {
     description = `console.log("${description}:");`
   }
-  return `<script>${description || ''}console.log(${JSON.stringify(a, null, '\t')});</script>`
+  
+  return nunjucksSafe(
+    `<script>${description || ''}console.log(${JSON.stringify(a, null, '\t')});</script>`
+  )
 }
 
 

app/filters/tags.js

@@ -1,5 +1,6 @@
 // app/filters/tags.js
 
+const { safe: nunjucksSafe } = require('nunjucks/src/filters')
 const { formatWords, sentenceCase, snakeCase } = require('../lib/utils/strings')
 const { getStatusTagColour, getStatusText } = require('../lib/utils/status')
 
@@ -31,7 +32,7 @@ const toTag = (status, options = {}) => {
 
   // Generate tag HTML
   const idAttr = options.id ? ` id=\"${options.id}\"` : ''
-  return `<strong${idAttr} class="${classes}">${text}</strong>`
+  return nunjucksSafe(`<strong${idAttr} class="${classes}">${text}</strong>`)
 }
 
 module.exports = {

app/lib/utils/participants.js

@@ -1,4 +1,6 @@
 // app/lib/utils/participants.js
+
+const { safe: nunjucksSafe } = require('nunjucks/src/filters')
 const riskLevels = require('../../data/risk-levels.js')
 
 /**
@@ -18,7 +20,7 @@ const getParticipant = (data, participantId) => {
 const getFullName = (participant) => {
   if (!participant?.demographicInformation) return ''
   const { firstName, middleName, lastName } = participant.demographicInformation
-  return [firstName, middleName, lastName].filter(Boolean).join(' ')
+  return nunjucksSafe([firstName, middleName, lastName].filter(Boolean).join(' '))
 }
 
 /**
@@ -38,7 +40,7 @@ const getFullNameReversed = (participant) => {
 const getShortName = (participant) => {
   if (!participant?.demographicInformation) return ''
   const { firstName, lastName } = participant.demographicInformation
-  return `${firstName} ${lastName}`
+  return nunjucksSafe(`${firstName} ${lastName}`)
 }
 
 /**

app/lib/utils/strings.js

@@ -1,5 +1,6 @@
 // app/lib/utils/strings.js
 
+const { safe: nunjucksSafe } = require('nunjucks/src/filters')
 const pluralizeLib = require('pluralize')
 
 
@@ -241,7 +242,7 @@ const stringLiteral = function (str) {
  */
 const noWrap = (input) => {
   if (!input) return ''
-  return `<span class="app-nowrap">${input}</span>`
+  return nunjucksSafe(`<span class="app-nowrap">${input}</span>`)
 }
 
 /**
@@ -251,7 +252,7 @@ const noWrap = (input) => {
  */
 const asHint = (input) => {
   if (!input) return ''
-  return `<span class="app-text-grey">${input}</span>`
+  return nunjucksSafe(`<span class="app-text-grey">${input}</span>`)
 }
 
 /** * Wrap string in a hidden text span
@@ -261,7 +262,7 @@ const asHint = (input) => {
  */
 const asVisuallyHiddenText = (input) => {
   if (!input) return ''
-  return `<span class="nhsuk-u-visually-hidden">${input}</span>`
+  return nunjucksSafe(`<span class="nhsuk-u-visually-hidden">${input}</span>`)
 }
 
 /**

lib/utils.js

@@ -8,21 +8,11 @@ const crypto = require('crypto');
 const coreFilters = require('./core_filters');
 const customFilters = require('../app/filters');
 
-const SAFE_FILTERS = ['noWrap', 'asHint', 'log', 'toTag', 'getShortName', 'getFullName', 'asVisuallyHiddenText'];
 
 exports.addNunjucksFilters = function (env) {
   const filters = Object.assign(coreFilters(env), customFilters(env));
-  const safe = env.getFilter('safe');
-
   Object.keys(filters).forEach((filterName) => {
-    const filter = filters[filterName];
-
-    // If it's in our safe list, wrap the filter to mark its output as safe
-    if (SAFE_FILTERS.includes(filterName)) {
-      env.addFilter(filterName, (...args) => safe(filter(...args)));
-    } else {
-      env.addFilter(filterName, filter);
-    }
+    env.addFilter(filterName, filters[filterName]);
   });
 };