fix: URL-encode programming language filter values in resource list (#2079)

Signed-off-by: uttam282005 <uttam282005@gmail.com>

Author: uttam282005

scanpipe/templates/scanpipe/panels/scan_summary_panel.html

@@ -57,7 +57,7 @@
             {% for entry in scan_summary.primary_language %}
               {% if entry.value %}
                 <li>
-                  <a href="{% url 'project_resources' project.slug %}?programming_language={{ entry.value }}" target="_blank">
+                  <a href="{% url 'project_resources' project.slug %}?programming_language={{ entry.value|urlencode }}" target="_blank">
                   {{ entry.value }}
                   {% if entry.count %}
                     <span class="tag is-rounded">
@@ -123,7 +123,7 @@
           <ul>
             {% for entry in scan_summary.other_languages %}
               {% if entry.value %}
-                <a href="{% url 'project_resources' project.slug %}?programming_language={{ entry.value }}" target="_blank">
+                <a href="{% url 'project_resources' project.slug %}?programming_language={{ entry.value|urlencode }}" target="_blank">
                   <li>
                     {{ entry.value }}
                     {% if entry.count %}

scanpipe/templates/scanpipe/project_charts.html

@@ -152,7 +152,7 @@ <h3 class="title is-4 has-text-centered mb-3">
               // Keep in sync with FilterSetUtilsMixin.(empty_value|other_value)
               if (name === "(No value detected)") name = "_EMPTY_";
               if (name === "Other") name = "_OTHER_";
-              let full_url = `${base_url}?${field}=${name}`;
+              let full_url = `${base_url}?${field}=${encodeURIComponent(name)}`;
               if (in_package) full_url += `&in_package=${in_package}`;
               if (event.ctrlKey || event.metaKey) window.open(full_url, '_blank');
               else window.location.href = full_url;

scanpipe/templates/scanpipe/resource_list.html

@@ -54,7 +54,7 @@
               <a href="?extension={{ resource.extension }}" class="is-black-link">{{ resource.extension }}</a>
             </td>
             <td class="break-all">
-              <a href="?programming_language={{ resource.programming_language }}" class="is-black-link">{{ resource.programming_language }}</a>
+              <a href="?programming_language={{ resource.programming_language|urlencode }}" class="is-black-link">{{ resource.programming_language }}</a>
             </td>
             <td class="break-all">
               <a href="?mime_type={{ resource.mime_type }}" class="is-black-link">{{ resource.mime_type }}</a>

scanpipe/tests/test_api.py

@@ -788,6 +788,18 @@ def test_scanpipe_api_project_action_resources_filterset(self):
         response = self.csrf_client.get(url + "?slug=aaa")
         self.assertEqual(2, response.data["count"])
 
+    def test_scanpipe_api_project_action_resources_filterset_special_chars(self):
+        make_resource_file(
+            self.project1,
+            path="csharp_file.cs",
+            programming_language="C#",
+        )
+        url = reverse("project-resources", args=[self.project1.uuid])
+        response = self.csrf_client.get(url + "?programming_language=C%23")
+        self.assertEqual(1, response.data["count"])
+        self.assertEqual("csharp_file.cs", response.data["results"][0]["path"])
+        self.assertEqual("C#", response.data["results"][0]["programming_language"])
+
     def test_scanpipe_api_project_action_packages(self):
         url = reverse("project-packages", args=[self.project1.uuid])
         response = self.csrf_client.get(url)

scanpipe/tests/test_views.py

@@ -590,6 +590,18 @@ def test_scanpipe_views_project_details_scan_summary_panels(self):
         self.assertContains(response, expected1)
         self.assertContains(response, expected2)
 
+    def test_scanpipe_views_project_details_scan_summary_language_url_encoding(self):
+        summary_file = self.project1.get_output_file_path("summary", "json")
+        scan_summary_json = {
+            "primary_language": [{"value": "C#", "count": 1}],
+            "other_languages": [{"value": "C#", "count": 1}],
+        }
+        summary_file.write_text(json.dumps(scan_summary_json))
+        url = self.project1.get_absolute_url()
+        response = self.client.get(url)
+        self.assertContains(response, "?programming_language=C%23")
+        self.assertNotContains(response, "?programming_language=C#")
+
     def test_scanpipe_views_project_details_get_license_clarity_data(self):
         get_license_clarity_data = ProjectDetailView.get_license_clarity_data
 
@@ -1039,6 +1051,17 @@ def test_scanpipe_views_codebase_resource_list_view_bad_search_query(self):
         expected_error = "The provided search value is invalid: No closing quotation"
         self.assertContains(response, expected_error)
 
+    def test_scanpipe_views_codebase_resource_list_programming_language_url_encoding(
+        self,
+    ):
+        make_resource_file(
+            self.project1, path="csharp_file.cs", programming_language="C#"
+        )
+        url = reverse("project_resources", args=[self.project1.slug])
+        response = self.client.get(url)
+        self.assertContains(response, "?programming_language=C%23")
+        self.assertNotContains(response, "?programming_language=C#")
+
     def test_scanpipe_views_codebase_resource_details_view_tab_image(self):
         resource1 = make_resource_file(self.project1, "file1.ext")
         response = self.client.get(resource1.get_absolute_url())