[airflow] 09/37: Fix json string escape in tree view (#8551)

[potiuk]

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git

commit ff6c2f7dd410abd2d121a07297b8ce2fae7c175e
Author: QP Hou <q...@scribd.com>
AuthorDate: Mon Apr 27 07:33:12 2020 -0700

    Fix json string escape in tree view (#8551)
    
    close #8523.
    
    (cherry-picked from bcbd888)
---
 airflow/www_rbac/views.py    |  8 ++++++--
 tests/www_rbac/test_views.py | 19 +++++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/airflow/www_rbac/views.py b/airflow/www_rbac/views.py
index be7a384..55a10e9 100644
--- a/airflow/www_rbac/views.py
+++ b/airflow/www_rbac/views.py
@@ -1524,6 +1524,11 @@ class Airflow(AirflowBaseView):
         external_logs = conf.get('elasticsearch', 'frontend')
         doc_md = wwwutils.wrapped_markdown(getattr(dag, 'doc_md', None), 
css_class='dag-doc')
 
+        # avoid spaces to reduce payload size
+        data = htmlsafe_json_dumps(data, separators=(',', ':'))
+        # escape slashes to avoid JSON parse error in JS
+        data = data.replace('\\', '\\\\')
+
         return self.render_template(
             'airflow/tree.html',
             operators=sorted({op.task_type: op for op in dag.tasks}.values(),
@@ -1532,8 +1537,7 @@ class Airflow(AirflowBaseView):
             form=form,
             dag=dag,
             doc_md=doc_md,
-            # avoid spaces to reduce payload size
-            data=htmlsafe_json_dumps(data, separators=(',', ':')),
+            data=data,
             blur=blur, num_runs=num_runs,
             show_external_logs=bool(external_logs))
 
diff --git a/tests/www_rbac/test_views.py b/tests/www_rbac/test_views.py
index 2824184..c668227 100644
--- a/tests/www_rbac/test_views.py
+++ b/tests/www_rbac/test_views.py
@@ -580,6 +580,25 @@ class TestAirflowBaseViews(TestBase):
         mock_get_dag.assert_called_once_with('example_bash_operator')
         self.check_content_in_response('example_bash_operator', resp)
 
+    @parameterized.expand([
+        ("hello\nworld", "hello\\\\nworld"),
+        ("hello'world", "hello\\\\u0027world"),
+        ("<script>", "\\\\u003cscript\\\\u003e"),
+    ])
+    def test_escape_in_tree_view(self, test_str, seralized_test_str):
+        dag = self.dagbag.dags['test_tree_view']
+        dag.create_dagrun(
+            run_id=self.run_id,
+            execution_date=self.EXAMPLE_DAG_DEFAULT_DATE,
+            start_date=timezone.utcnow(),
+            state=State.RUNNING,
+            conf={"abc": test_str},
+        )
+
+        url = 'tree?dag_id=test_tree_view'
+        resp = self.client.get(url, follow_redirects=True)
+        
self.check_content_in_response('"conf":{{"abc":"{}"}}'.format(seralized_test_str),
 resp)
+
     def test_dag_details_trigger_origin_tree_view(self):
         dag = self.dagbag.dags['test_tree_view']
         dag.create_dagrun(