From 896e7fd7d55e7067ce7c0c1ca03e7315b13e9518 Mon Sep 17 00:00:00 2001
From: jedi <git@m.j3d1.de>
Date: Wed, 13 Nov 2019 16:20:22 +0100
Subject: [PATCH] escape title correctly for use in css content property

---
 schickmacher/renderer/templatetags/__init__.py      |  0
 schickmacher/renderer/templatetags/extra_filters.py |  8 ++++++++
 schickmacher/renderer/tests/test_extra_filters.py   | 12 ++++++++++++
 schickmacher/templates/renderer/rendered.html       |  4 ++--
 4 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 schickmacher/renderer/templatetags/__init__.py
 create mode 100644 schickmacher/renderer/templatetags/extra_filters.py
 create mode 100644 schickmacher/renderer/tests/test_extra_filters.py

diff --git a/schickmacher/renderer/templatetags/__init__.py b/schickmacher/renderer/templatetags/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/schickmacher/renderer/templatetags/extra_filters.py b/schickmacher/renderer/templatetags/extra_filters.py
new file mode 100644
index 0000000..b05ae2e
--- /dev/null
+++ b/schickmacher/renderer/templatetags/extra_filters.py
@@ -0,0 +1,8 @@
+from django import template
+import re
+
+register = template.Library()
+
+@register.filter
+def escape_css_content(value):
+    return re.sub(r'''['"\n\\]''', lambda m: '\{:06X}'.format(ord(m.group())), value)
diff --git a/schickmacher/renderer/tests/test_extra_filters.py b/schickmacher/renderer/tests/test_extra_filters.py
new file mode 100644
index 0000000..6c4925d
--- /dev/null
+++ b/schickmacher/renderer/tests/test_extra_filters.py
@@ -0,0 +1,12 @@
+from schickmacher.renderer.templatetags.extra_filters import escape_css_content
+
+# we use the padded 6 digit css escape sequences
+# https://www.w3.org/International/questions/qa-escapes
+def test_css_content():
+    assert escape_css_content("head\"tail") == "head\\000022tail"
+    assert escape_css_content("head\'tail") == "head\\000027tail"
+    assert escape_css_content("head\\tail") == "head\\00005Ctail"
+    assert escape_css_content("head\ntail") == "head\\00000Atail"
+    assert escape_css_content("\"\"") == "\\000022\\000022"
+    assert escape_css_content("\\\\") == "\\00005C\\00005C"
+    assert escape_css_content("ABCD1234<li>") == "ABCD1234<li>"
diff --git a/schickmacher/templates/renderer/rendered.html b/schickmacher/templates/renderer/rendered.html
index 2ca154b..d3f0198 100644
--- a/schickmacher/templates/renderer/rendered.html
+++ b/schickmacher/templates/renderer/rendered.html
@@ -1,4 +1,4 @@
-{% load static compress tz %}<!DOCTYPE html>
+{% load extra_filters %}{% load static compress tz %}<!DOCTYPE html>
 <html lang="en">
 <head>
     <meta charset="UTF-8">
@@ -16,7 +16,7 @@
     content: "{{ date | date:'d.m.Y' }}";
   }
   @top-left {
-    content: "{{ title }}"
+    content: "{{ title | escape_css_content | safe }}"
   }
   @top-right-corner {
   }