Fix to_json escape (#2310)

* Fix to_json escape

* Fix flake8

Author: webb-ben

pygeoapi/util.py

@@ -265,8 +265,9 @@ def to_json(dict_: dict, pretty: bool = False) -> str:
     json_dump = json.dumps(dict_, default=json_serial, indent=indent,
                            separators=(',', ':'))
 
-    LOGGER.debug('Removing < and >')
-    json_dump = json_dump.replace('<', '&lt').replace('>', '&gt')
+    LOGGER.debug('Escaping < and >')
+    json_dump = json_dump.replace('<', '&lt;')
+    json_dump = json_dump.replace('>', '&gt;')
 
     return json_dump
 

tests/other/test_util.py

@@ -33,6 +33,7 @@
 from io import StringIO
 from unittest import mock
 import uuid
+from xml.sax.saxutils import unescape
 
 import pytest
 
@@ -77,13 +78,20 @@ def test_get_typed_value():
 @pytest.mark.parametrize('data,minified,pretty_printed', [
     [{'foo': 'bar'}, '{"foo":"bar"}', '{\n    "foo":"bar"\n}'],
     [{'foo<script>alert("hi")</script>': 'bar'},
-     '{"foo&ltscript&gtalert(\\"hi\\")&lt/script&gt":"bar"}',
-     '{\n    "foo&ltscript&gtalert(\\"hi\\")&lt/script&gt":"bar"\n}']
+     '{"foo&lt;script&gt;alert(\\"hi\\")&lt;/script&gt;":"bar"}',
+     '{\n    "foo&lt;script&gt;alert(\\"hi\\")&lt;/script&gt;":"bar"\n}']
 ])
 def test_to_json(data, minified, pretty_printed):
-    assert util.to_json(data) == minified
+    output = util.to_json(data)
+    assert output == minified
     assert util.to_json(data, pretty=True) == pretty_printed
 
+    unescaped_output = unescape(output)
+    if '&lt;' in output:
+        assert '<' in unescaped_output
+    if '&gt;' in output:
+        assert '>' in unescaped_output
+
 
 def test_yaml_load(config):
     assert isinstance(config, dict)