diff --git a/pygeoapi/util.py b/pygeoapi/util.py index fa99165be..1e9118798 100644 --- a/pygeoapi/util.py +++ b/pygeoapi/util.py @@ -265,8 +265,9 @@ def to_json(dict_: dict, pretty: bool = False) -> str: json_dump = json.dumps(dict_, default=json_serial, indent=indent, separators=(',', ':')) - LOGGER.debug('Removing < and >') - json_dump = json_dump.replace('<', '<').replace('>', '>') + LOGGER.debug('Escaping < and >') + json_dump = json_dump.replace('<', '<') + json_dump = json_dump.replace('>', '>') return json_dump diff --git a/tests/other/test_util.py b/tests/other/test_util.py index c2602d241..e17876b39 100644 --- a/tests/other/test_util.py +++ b/tests/other/test_util.py @@ -33,6 +33,7 @@ from io import StringIO from unittest import mock import uuid +from xml.sax.saxutils import unescape import pytest @@ -77,13 +78,20 @@ def test_get_typed_value(): @pytest.mark.parametrize('data,minified,pretty_printed', [ [{'foo': 'bar'}, '{"foo":"bar"}', '{\n "foo":"bar"\n}'], [{'foo': 'bar'}, - '{"foo<script>alert(\\"hi\\")</script>":"bar"}', - '{\n "foo<script>alert(\\"hi\\")</script>":"bar"\n}'] + '{"foo<script>alert(\\"hi\\")</script>":"bar"}', + '{\n "foo<script>alert(\\"hi\\")</script>":"bar"\n}'] ]) def test_to_json(data, minified, pretty_printed): - assert util.to_json(data) == minified + output = util.to_json(data) + assert output == minified assert util.to_json(data, pretty=True) == pretty_printed + unescaped_output = unescape(output) + if '<' in output: + assert '<' in unescaped_output + if '>' in output: + assert '>' in unescaped_output + def test_yaml_load(config): assert isinstance(config, dict)