From 462a3169cd842808cb1301097673c1478536cb05 Mon Sep 17 00:00:00 2001
From: Klaas van Schelven <klaas@vanschelven.com>
Date: Wed, 30 Jul 2025 12:37:27 +0200
Subject: [PATCH] Add one more test that proves safe use of mark_safe

See #175
---
 theme/templatetags/issues.py |  2 +-
 theme/tests.py               | 25 ++++++++++++++++++++++++-
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/theme/templatetags/issues.py b/theme/templatetags/issues.py
index 5e2034d..f1f4606 100644
--- a/theme/templatetags/issues.py
+++ b/theme/templatetags/issues.py
@@ -256,7 +256,7 @@ def incomplete(value):
 
 
 def _date_with_milis_html(timestamp):
-    # no_bandit_expl: constant string w/ substitution of dates/milis (escaped even)
+    # no_bandit_expl: constant string w/ substitution of dates/milis (escaped even), see also TimestampWithMillisTagTest
     return (
         mark_safe('<span class="whitespace-nowrap">') +  # nosec
         escape(date(timestamp, "j M G:i:s")) + mark_safe(".") +  # nosec
diff --git a/theme/tests.py b/theme/tests.py
index 45b2c5c..da4f2c6 100644
--- a/theme/tests.py
+++ b/theme/tests.py
@@ -1,11 +1,13 @@
 from unittest import TestCase as RegularTestCase
 
 from django.utils.safestring import SafeString
+from django.utils.html import conditional_escape
 from bugsink.pygments_extensions import choose_lexer_for_pattern, get_all_lexers
 
 from events.utils import IncompleteList, IncompleteDict
 
-from .templatetags.issues import _pygmentize_lines as actual_pygmentize_lines, format_var, pygmentize
+from .templatetags.issues import (
+    _pygmentize_lines as actual_pygmentize_lines, format_var, pygmentize, timestamp_with_millis)
 
 
 def _pygmentize_lines(lines):
@@ -173,3 +175,24 @@ class TestPygmentizeEscapeMarkSafe(RegularTestCase):
             # pygmentize does" is not very useful, as it may change in the future.
             self.assertFalse("<script>" in line)
             self.assertFalse("</script>" in line)
+
+
+class TimestampWithMillisTagTest(RegularTestCase):
+    def test_float_input_produces_expected_safe_string(self):
+        ts = 1620130245.1234
+
+        self.assertEqual(
+            '<span class="whitespace-nowrap">4 May 12:10:45.<span class="text-xs">123</span></span>',
+            timestamp_with_millis(ts))
+
+        self.assertTrue(isinstance(timestamp_with_millis(ts), SafeString))
+
+    def test_timestamp_with_milis_is_not_a_target_for_html_injection(self):
+        # even though the string input is returned as-is for this case, the tag will not mark it as safe in the process.
+        ts = "<script>alert('hello');</script>"
+
+        self.assertEqual(
+            '&lt;script&gt;alert(&#x27;hello&#x27;);&lt;/script&gt;',
+            conditional_escape(timestamp_with_millis(ts)))
+
+        self.assertFalse(isinstance(timestamp_with_millis(ts), SafeString))