# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 1604770053 -3600
# Node ID 642fa51e0d0b6039e9f40f2ed5897d52b6cd80fc
# Parent  eed44652346d67ae6ba5c1ccc6b56bf865250758
lib: move js escaping from helpers to webutils

It was no real problem it lived in helpers: it was only used from templates
anyway.

But for completeness and correctness, move all web utils to webutils.

diff -r eed44652346d -r 642fa51e0d0b kallithea/lib/helpers.py
--- a/kallithea/lib/helpers.py	Fri Nov 06 21:15:20 2020 +0100
+++ b/kallithea/lib/helpers.py	Sat Nov 07 18:27:33 2020 +0100
@@ -18,7 +18,6 @@
 available to Controllers. This module is available to both as 'h'.
 """
 import hashlib
-import json
 import logging
 import re
 import textwrap
@@ -47,15 +46,16 @@
 # SCM FILTERS available via h.
 #==============================================================================
 from kallithea.lib.vcs.utils import author_email, author_name
-from kallithea.lib.webutils import (HTML, Option, canonical_url, checkbox, chop_at, end_form, escape, form, format_byte_size, hidden, html_escape, link_to,
-                                    literal, password, pop_flash_messages, radio, reset, safeid, select, session_csrf_secret_name, session_csrf_secret_token,
-                                    submit, text, textarea, truncate, url, wrap_paragraphs)
+from kallithea.lib.webutils import (HTML, Option, canonical_url, checkbox, chop_at, end_form, escape, form, format_byte_size, hidden, html_escape, js, jshtml,
+                                    link_to, literal, password, pop_flash_messages, radio, reset, safeid, select, session_csrf_secret_name,
+                                    session_csrf_secret_token, submit, text, textarea, truncate, url, wrap_paragraphs)
 from kallithea.model import db
 from kallithea.model.changeset_status import ChangesetStatusModel
 
 
 # mute pyflakes "imported but unused"
 # from webutils
+assert HTML
 assert Option
 assert canonical_url
 assert checkbox
@@ -64,6 +64,8 @@
 assert form
 assert format_byte_size
 assert hidden
+assert js
+assert jshtml
 assert password
 assert pop_flash_messages
 assert radio
@@ -93,51 +95,6 @@
 log = logging.getLogger(__name__)
 
 
-def js(value):
-    """Convert Python value to the corresponding JavaScript representation.
-
-    This is necessary to safely insert arbitrary values into HTML <script>
-    sections e.g. using Mako template expression substitution.
-
-    Note: Rather than using this function, it's preferable to avoid the
-    insertion of values into HTML <script> sections altogether. Instead,
-    data should (to the extent possible) be passed to JavaScript using
-    data attributes or AJAX calls, eliminating the need for JS specific
-    escaping.
-
-    Note: This is not safe for use in attributes (e.g. onclick), because
-    quotes are not escaped.
-
-    Because the rules for parsing <script> varies between XHTML (where
-    normal rules apply for any special characters) and HTML (where
-    entities are not interpreted, but the literal string "</script>"
-    is forbidden), the function ensures that the result never contains
-    '&', '<' and '>', thus making it safe in both those contexts (but
-    not in attributes).
-    """
-    return literal(
-        ('(' + json.dumps(value) + ')')
-        # In JSON, the following can only appear in string literals.
-        .replace('&', r'\x26')
-        .replace('<', r'\x3c')
-        .replace('>', r'\x3e')
-    )
-
-
-def jshtml(val):
-    """HTML escapes a string value, then converts the resulting string
-    to its corresponding JavaScript representation (see `js`).
-
-    This is used when a plain-text string (possibly containing special
-    HTML characters) will be used by a script in an HTML context (e.g.
-    element.innerHTML or jQuery's 'html' method).
-
-    If in doubt, err on the side of using `jshtml` over `js`, since it's
-    better to escape too much than too little.
-    """
-    return js(escape(val))
-
-
 def FID(raw_id, path):
     """
     Creates a unique ID for filenode based on it's hash of path and revision
diff -r eed44652346d -r 642fa51e0d0b kallithea/lib/webutils.py
--- a/kallithea/lib/webutils.py	Fri Nov 06 21:15:20 2020 +0100
+++ b/kallithea/lib/webutils.py	Sat Nov 07 18:27:33 2020 +0100
@@ -20,6 +20,7 @@
 imported anywhere - just like the global variables can be used everywhere.
 """
 
+import json
 import logging
 import random
 
@@ -256,3 +257,52 @@
     The return value is a list of ``Message`` objects.
     """
     return [_Message(category, message) for category, message in _session_flash_messages(clear=True)]
+
+
+#
+# Generic-ish formatting and markup
+#
+
+def js(value):
+    """Convert Python value to the corresponding JavaScript representation.
+
+    This is necessary to safely insert arbitrary values into HTML <script>
+    sections e.g. using Mako template expression substitution.
+
+    Note: Rather than using this function, it's preferable to avoid the
+    insertion of values into HTML <script> sections altogether. Instead,
+    data should (to the extent possible) be passed to JavaScript using
+    data attributes or AJAX calls, eliminating the need for JS specific
+    escaping.
+
+    Note: This is not safe for use in attributes (e.g. onclick), because
+    quotes are not escaped.
+
+    Because the rules for parsing <script> varies between XHTML (where
+    normal rules apply for any special characters) and HTML (where
+    entities are not interpreted, but the literal string "</script>"
+    is forbidden), the function ensures that the result never contains
+    '&', '<' and '>', thus making it safe in both those contexts (but
+    not in attributes).
+    """
+    return literal(
+        ('(' + json.dumps(value) + ')')
+        # In JSON, the following can only appear in string literals.
+        .replace('&', r'\x26')
+        .replace('<', r'\x3c')
+        .replace('>', r'\x3e')
+    )
+
+
+def jshtml(val):
+    """HTML escapes a string value, then converts the resulting string
+    to its corresponding JavaScript representation (see `js`).
+
+    This is used when a plain-text string (possibly containing special
+    HTML characters) will be used by a script in an HTML context (e.g.
+    element.innerHTML or jQuery's 'html' method).
+
+    If in doubt, err on the side of using `jshtml` over `js`, since it's
+    better to escape too much than too little.
+    """
+    return js(escape(val))