workaround to allow double-quotes in hook-commands (#61)

docs/source/usage/repositories.rst

@@ -73,7 +73,7 @@ If you want to run multiple ones - they need to be comma-separated.
 
 These hooks will not be processed if you override the actual create/update command.
 
-**Note**: For security reasons (XSS) these characters are not allowed: :code:`& < > "`
+**Note**: For security reasons (XSS) these characters are currently not allowed: :code:`< >`
 
 ----
 

src/ansibleguy-webui/aw/api_endpoints/base.py

@@ -96,8 +96,9 @@ def not_implemented(*args, **kwargs):
 def validate_no_xss(value: str, field: str, shell_cmd: bool = False):
     if is_set(value) and isinstance(value, str):
         if shell_cmd:
-            # allow single-quotes
+            # ignore characters shell-commands may need
             value = value.replace("'", '')
+            value = value.replace('&', '')
 
         if value != escape_html(value):
             raise ValidationError(f"Found illegal characters in field '{field}'")

src/ansibleguy-webui/aw/api_endpoints/repository.py

@@ -31,6 +31,7 @@ def validate(self, attrs: dict):
         for field in Repository.api_fields_write:
             if field in attrs:
                 if field in Repository.fields_shell_cmds:
+                    attrs[field] = attrs[field].replace('"', "''")
                     validate_no_xss(value=attrs[field], field=field, shell_cmd=True)
 
                 else:

src/ansibleguy-webui/aw/execute/repository.py

@@ -197,6 +197,7 @@ def _repo_process(self, cmd: str, env: dict):
     def _run_repo_config_cmds(self, cmds: str, env: dict):
         if is_set(cmds):
             for cmd in cmds.split(','):
+                cmd = cmd.replace("''", '"')
                 self._repo_process(cmd=cmd, env=env)
 
     def _git_origin_with_credentials(self) -> str: