From ab5d5a6cad623e38bd696ee5ae8925e93899e777 Mon Sep 17 00:00:00 2001 From: Benjamin Webb Date: Tue, 31 Mar 2026 09:31:09 -0400 Subject: [PATCH 1/2] Fix to_json escape --- pygeoapi/util.py | 4 +++- tests/other/test_util.py | 14 +++++++++++--- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/pygeoapi/util.py b/pygeoapi/util.py index fa99165be..06125b61a 100644 --- a/pygeoapi/util.py +++ b/pygeoapi/util.py @@ -266,7 +266,9 @@ def to_json(dict_: dict, pretty: bool = False) -> str: separators=(',', ':')) LOGGER.debug('Removing < and >') - json_dump = json_dump.replace('<', '<').replace('>', '>') + json_dump = json_dump.replace('<', '<') + json_dump = json_dump.replace('>', '>') + return json_dump diff --git a/tests/other/test_util.py b/tests/other/test_util.py index c2602d241..e17876b39 100644 --- a/tests/other/test_util.py +++ b/tests/other/test_util.py @@ -33,6 +33,7 @@ from io import StringIO from unittest import mock import uuid +from xml.sax.saxutils import unescape import pytest @@ -77,13 +78,20 @@ def test_get_typed_value(): @pytest.mark.parametrize('data,minified,pretty_printed', [ [{'foo': 'bar'}, '{"foo":"bar"}', '{\n "foo":"bar"\n}'], [{'foo': 'bar'}, - '{"foo<script>alert(\\"hi\\")</script>":"bar"}', - '{\n "foo<script>alert(\\"hi\\")</script>":"bar"\n}'] + '{"foo<script>alert(\\"hi\\")</script>":"bar"}', + '{\n "foo<script>alert(\\"hi\\")</script>":"bar"\n}'] ]) def test_to_json(data, minified, pretty_printed): - assert util.to_json(data) == minified + output = util.to_json(data) + assert output == minified assert util.to_json(data, pretty=True) == pretty_printed + unescaped_output = unescape(output) + if '<' in output: + assert '<' in unescaped_output + if '>' in output: + assert '>' in unescaped_output + def test_yaml_load(config): assert isinstance(config, dict) From c80bc697aabac18b437746698ed1586454ae7b72 Mon Sep 17 00:00:00 2001 From: Benjamin Webb Date: Tue, 31 Mar 2026 09:39:45 -0400 Subject: [PATCH 2/2] Fix flake8 --- pygeoapi/util.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pygeoapi/util.py b/pygeoapi/util.py index 06125b61a..1e9118798 100644 --- a/pygeoapi/util.py +++ b/pygeoapi/util.py @@ -265,11 +265,10 @@ def to_json(dict_: dict, pretty: bool = False) -> str: json_dump = json.dumps(dict_, default=json_serial, indent=indent, separators=(',', ':')) - LOGGER.debug('Removing < and >') + LOGGER.debug('Escaping < and >') json_dump = json_dump.replace('<', '<') json_dump = json_dump.replace('>', '>') - return json_dump