Escape special characters in HTML like labels in Dot output

Todo items with " & < or > were not properly rendered because they were not escaped. Thanks to Jacob Leemaster for the bug report.

Escape special characters in HTML like labels in Dot output
Todo items with " & < or > were not properly rendered because they were not escaped. Thanks to Jacob Leemaster for the bug report.
e91e9cab · Bram Schoenmakers · 8737faa1 · e91e9cab · e91e9cab · e91e9cab
Commit e91e9cab authored Jan 10, 2017 by Bram Schoenmakers
Showing with 15 additions and 2 deletions

test/data/ListCommandDotTest.txt test/data/ListCommandDotTest.txt +1 -0

test/data/ListCommandTest.dot test/data/ListCommandTest.dot +3 -1

topydo/lib/printers/Dot.py topydo/lib/printers/Dot.py +11 -1

No files found.
--- a/test/data/ListCommandDotTest.txt
+++ b/test/data/ListCommandDotTest.txt
@@ -5,3 +5,4 @@

 (C) 13 + 29 = 42
 x 2014-12-12 Completed but with date:2014-12-12
+(C) Special characters <"&>
--- a/test/data/ListCommandTest.dot
+++ b/test/data/ListCommandTest.dot
@@ -4,11 +4,13 @@ node [ shape="none" margin="0" fontsize="9" fontname="Helvetica" ]
  _3 [label=<<TABLE CELLBORDER="0" CELLSPACING="1" VALIGN="top"><TR><TD><B>3</B></TD><TD BALIGN="LEFT"><B>Baz @Context1 +Project1</B></TD></TR><HR/><TR><TD ALIGN="RIGHT">Prio:</TD><TD ALIGN="LEFT">C</TD></TR></TABLE>> style=filled fillcolor="#008000" fontcolor="#ffffff"]
  _4 [label=<<TABLE CELLBORDER="0" CELLSPACING="1" VALIGN="top"><TR><TD><B>4</B></TD><TD BALIGN="LEFT"><B>Drink beer @ home</B></TD></TR><HR/><TR><TD ALIGN="RIGHT">Prio:</TD><TD ALIGN="LEFT">C</TD></TR></TABLE>> style=filled fillcolor="#008000" fontcolor="#ffffff"]
  _5 [label=<<TABLE CELLBORDER="0" CELLSPACING="1" VALIGN="top"><TR><TD><B>5</B></TD><TD BALIGN="LEFT"><B>13 + 29 = 42</B></TD></TR><HR/><TR><TD ALIGN="RIGHT">Prio:</TD><TD ALIGN="LEFT">C</TD></TR></TABLE>> style=filled fillcolor="#008000" fontcolor="#ffffff"]
+  _7 [label=<<TABLE CELLBORDER="0" CELLSPACING="1" VALIGN="top"><TR><TD><B>7</B></TD><TD BALIGN="LEFT"><B>Special characters &lt;&quot;&amp;&gt;</B></TD></TR><HR/><TR><TD ALIGN="RIGHT">Prio:</TD><TD ALIGN="LEFT">C</TD></TR></TABLE>> style=filled fillcolor="#008000" fontcolor="#ffffff"]
  _2 [label=<<TABLE CELLBORDER="0" CELLSPACING="1" VALIGN="top"><TR><TD><B>2</B></TD><TD BALIGN="LEFT"><B>Bar @Context1 +Project2</B></TD></TR><HR/><TR><TD ALIGN="RIGHT">Prio:</TD><TD ALIGN="LEFT">D</TD></TR></TABLE>> style=filled fillcolor="#008000" fontcolor="#ffffff"]
  _6 [label=<<TABLE CELLBORDER="0" CELLSPACING="1" VALIGN="top"><TR><TD><B>6</B></TD><TD BALIGN="LEFT"><B><S>Completed but with</S></B></TD></TR></TABLE>> style=filled fillcolor="#008000" fontcolor="#ffffff"]
  _3 -> _2
  _1 -> _4 [style="invis"]
  _4 -> _5 [style="invis"]
-  _5 -> _6 [style="invis"]
+  _5 -> _7 [style="invis"]
+  _7 -> _6 [style="invis"]
 }

--- a/topydo/lib/printers/Dot.py
+++ b/topydo/lib/printers/Dot.py
@@ -40,6 +40,16 @@ class DotPrinter(Printer):
            """
            Prints an HTML table for a node label with some todo details.
            """
+            def escape_dot_label(p_string):
+                """
+                HTML like labels in Dot may not have raw ampersands, quotes or
+                angle brackets. These should be properly replaced with the
+                escaped character notation.
+                """
+
+                return p_string.replace('&', '&amp;').replace('"', '&quot;').replace(
+                    '<', '&lt;').replace('>', '&gt;')
+
            node_result = '<<TABLE CELLBORDER="0" CELLSPACING="1" VALIGN="top">'

            def print_row(p_value1, p_value2):
@@ -48,7 +58,7 @@ class DotPrinter(Printer):
            node_result += '<TR><TD><B>{}</B></TD><TD BALIGN="LEFT"><B>{}{}{}</B></TD></TR>'.format(
                self.todolist.number(p_todo),
                "<S>" if todo.is_completed() else "",
-                "<BR />".join(wrap(p_todo.text(), 35)),
+                "<BR />".join(map(escape_dot_label, wrap(p_todo.text(), 35))),
                "</S>" if todo.is_completed() else "",
            )