wtf is xss? - also overridable size def for mselects

project.clj

@@ -1,4 +1,4 @@
-(defproject joshavg/formulare "0.3.3-SNAPSHOT"
+(defproject joshavg/formulare "0.4.0-SNAPSHOT"
   :description "Forms hiccup style"
   :url "https://gitea.heevyis.ninja/josha/formulare.git"
   :scm {:name "git" :url "https://gitea.heevyis.ninja/josha/formulare.git"}

src/formulare/core.clj

@@ -2,8 +2,9 @@
   (:require [formulare.theme :as theme]
             [clojure.spec.alpha :as spec]
             [clojure.spec.test.alpha :as spectest]
-            [hiccup.form :as hform]
-            [hiccup.core :as hcore]
+            [hiccup
+             [form :as hform]
+             [core :as hcore]]
             [ring.util.anti-forgery :refer [anti-forgery-field]]))
 
 (spec/def ::label string?)

src/formulare/theme.clj

@@ -1,6 +1,8 @@
 (ns formulare.theme
   (:require [clojure.spec.alpha :as spec]
-            [hiccup.form :as hform]))
+            [hiccup
+             [form :as hform]
+             [core :as hcore]]))
 
 (defn row [& content] content)
 
@@ -15,9 +17,11 @@
     (fn [prob]
       [:p
        "Field "
-       [:span.flash__field (:label field-def)]
+       [:span.flash__field
+        (hcore/h (:label field-def))]
        " must comply to "
-       [:span.flash__pred (:pred prob)]])
+       [:span.flash__pred
+        (hcore/h (:pred prob))]])
     (:clojure.spec.alpha/problems
      (spec/explain-data (:spec field-def)
                         field-value)))))
@@ -27,7 +31,7 @@
                        (spec/explain-data % req))
                      (:form-specs form-def))]
     (err-msg [:p "The form must comply to "
-              (:pred prob)])))
+              (hcore/h (:pred prob))])))
 
 (defn label [field-id field-def]
   (when-not (= :hidden (:widget field-def))
@@ -57,14 +61,17 @@
 (defn multiselect-widget [id def value]
   (let [options (:options def)]
     [:select {:multiple "multiple"
-              :size 5
+              :size (:size def 5)
               :name (name id)
               :id (name id)}
      (for [option options]
        [:option {:value (second option)
                  :selected (some? (some (partial = (second option))
                                         value))}
-        (first option)])]))
+        (hcore/h (first option))])]))
+
+(comment
+  (multiselect-widget :id {:options [["<>" "key"]]} {}))
 
 (defn hidden-widget [id def value]
   (hform/hidden-field id value))

test/formulare/core_test.clj

@@ -277,10 +277,21 @@
                :form-specs [(fn [req] false)]}]
       (is (= [:section.flash--error
               [:h2.flash__heading--error "Warning"]
-              [:p "The form must comply to "
-               :clojure.spec.alpha/unknown]]
+              [:p "The form must comply to " (name :clojure.spec.alpha/unknown)]]
              (first
               (render-widgets
                def
                {}
                {:params {:__form-hash (form-hash def {})}})))))))
+
+(deftest html-contents-are-escaped
+  (testing "mselect"
+    (let [def {:fields {:foo {:widget :mselect
+                              :options [["<>" "key1"]]}}}]
+      (is (= [:option {:value "key1" :selected false} "&lt;&gt;"]
+             (-> (render-widgets def {} {})
+                 (nthrest 2)
+                 first
+                 (nth 2)
+                 (nth 2)
+                 first))))))