Fix docstrings not escaped in the /help command if no syntax was used

Pietro Albini · Pietro Albini · commit e0a91a0768ab · 2016-06-04T22:09:36.000+02:00
Before this commit, even if you didn't use rich formatting in your docstrings you had to escape any >, < or & in them. This commit fixes that by automatically escaping the docstring if no syntax was used. You need to escape those chars manually if you use rich formatting though. Fixes: GH-67
diff --git a/botogram/defaults.py b/botogram/defaults.py
@@ -6,6 +6,9 @@
     Released under the MIT license
 """
 
+import html
+
+from . import syntaxes
 from . import components
 from . import decorators
 
@@ -76,7 +79,7 @@ def _help_generic_message(self, bot, commands):
         if len(commands) > 0:
             message.append(bot._("<b>This bot supports those commands:</b>"))
             for name in sorted(commands.keys()):
-                summary = commands[name].summary
+                summary = escape_html(commands[name].summary)
                 if summary is None:
                     summary = "<i>%s</i>" % bot._("No description available.")
                 message.append("/%s <code>-</code> %s" % (name, summary))
@@ -104,7 +107,7 @@ def _help_command_message(self, bot, commands, command):
         """Generate a command's help message"""
         message = []
 
-        docstring = commands[command].docstring
+        docstring = escape_html(commands[command].docstring)
         if docstring is None:
             docstring = "<i>%s</i>" % bot._("No description available.")
         message.append("/%s <code>-</code> %s" % (command, docstring))
@@ -151,3 +154,12 @@ def no_commands_hook(self, bot, chat, message):
                 bot._("Use /help to get a list of the commands."),
             ]), syntax="html")
             return True
+
+
+def escape_html(text):
+    """Escape a docstring"""
+    # The docstring is escaped only if it doesn't contain HTML markup
+    if not syntaxes.is_html(text):
+        return html.escape(text)
+
+    return text
diff --git a/docs/changelog.rst b/docs/changelog.rst
@@ -78,6 +78,15 @@ Performance improvements
 * Updates queueing performance improved
 * Backlog processing is now instantaneous
 
+Bug fixes
+---------
+
+* Fix docstrings not escaped in the ``/help`` command if no syntax was used
+  (`issue 67`_)
+
+   * Now docstrings are escaped if you don't use any HTML syntax in them, but
+     if you use HTML you need to manually escape that specific docstring.
+
 Deprecated features
 -------------------
 
@@ -87,6 +96,8 @@ Deprecated features will be removed in botogram 1.0!
 * ``Message.left_chat_participant`` is now deprecated
 * ``Bot.hide_commands`` is now deprecated
 
+.. _issue 67: https://github.com/pietroalbini/botogram/issues/67
+
 .. _changelog-0.2.1:
 
 botogram 0.2.1
