From 45a1756e979c13854c4191ef0c467734cf37c370 Mon Sep 17 00:00:00 2001
From: Ole Magnus Fon Johnsen <me@omfj.no>
Date: Mon, 28 Jul 2025 14:36:56 +0200
Subject: [PATCH] Use format_html

---
 src/staff/mixins.py                  | 16 +++++++++------
 src/staff/tables.py                  | 27 +++++++++++++++----------
 src/staff/templatetags/order_tags.py | 30 +++++++++++++++++-----------
 3 files changed, 44 insertions(+), 29 deletions(-)

diff --git a/src/staff/mixins.py b/src/staff/mixins.py
index 3bf73a46..cfe8d21a 100644
--- a/src/staff/mixins.py
+++ b/src/staff/mixins.py
@@ -3,8 +3,8 @@
 import django_tables2 as tables
 from django.db.models import Case, IntegerField, Value, When
 from django.db.models.query import QuerySet
+from django.utils.html import format_html
 from django.utils.http import url_has_allowed_host_and_scheme
-from django.utils.safestring import mark_safe
 from django.views.generic import View
 
 from genlab_bestilling.models import (
@@ -27,7 +27,7 @@ def render_id(
     ) -> str:
         url = record.get_absolute_staff_url()
 
-        return mark_safe(f'<a href="{url}">{record}</a>')  # noqa: S308
+        return format_html('<a href="{}">{}</a>', url, str(record))
 
 
 def render_status_helper(status: Order.OrderStatus) -> str:
@@ -46,8 +46,10 @@ def render_status_helper(status: Order.OrderStatus) -> str:
     classes = status_colors.get(status, "bg-gray-100 text-gray-800")
     text = status_text.get(status, "Unknown")
 
-    return mark_safe(  # noqa: S308
-        f'<span class="px-2 py-1 text-xs font-medium rounded-full text-nowrap {classes}">{text}</span>'  # noqa: E501
+    return format_html(
+        '<span class="px-2 py-1 text-xs font-medium rounded-full text-nowrap {}">{}</span>',  # noqa: E501
+        classes,
+        text,
     )
 
 
@@ -109,8 +111,10 @@ def render_sample_status(self, value: Any, record: Sample) -> str:
         # Use computed status, not value
         color_class = status_colors.get(status, "bg-gray-100 text-gray-800")
 
-        return mark_safe(  # noqa: S308
-            f'<span class="px-2 py-1 text-xs font-medium rounded-full whitespace-nowrap {color_class}">{status}</span>'  # noqa: E501
+        return format_html(
+            '<span class="px-2 py-1 text-xs font-medium rounded-full whitespace-nowrap {}">{}</span>',  # noqa: E501
+            color_class,
+            status,
         )
 
     def order_sample_status(
diff --git a/src/staff/tables.py b/src/staff/tables.py
index d0da9982..cb474fb8 100644
--- a/src/staff/tables.py
+++ b/src/staff/tables.py
@@ -3,6 +3,7 @@
 from typing import Any
 
 import django_tables2 as tables
+from django.utils.html import format_html
 from django.utils.safestring import mark_safe
 
 from genlab_bestilling.models import (
@@ -241,18 +242,16 @@ def render_id(self, record: Any) -> str:
         return str(record)
 
     def render_is_urgent(self, value: bool) -> str:
-        html_exclaimation_mark = (
-            "<i class='fa-solid fa-exclamation text-red-500 fa-2x' title='Urgent'></i>"
-        )
         if value:
-            return mark_safe(html_exclaimation_mark)  # noqa: S308
+            return mark_safe(
+                "<i class='fa-solid fa-exclamation text-red-500 fa-2x' title='Urgent'></i>"  # noqa: E501
+            )
         return ""
 
     def render_is_seen(self, value: bool) -> str:
         if not value:
             return mark_safe(
-                '<i class="fa-solid fa-bell text-yellow-500" '
-                'title="New within 24h"></i>'
+                '<i class="fa-solid fa-bell text-yellow-500" title="New within 24h"></i>'  # noqa: E501
             )
         return ""
 
@@ -307,7 +306,9 @@ def render_plate_positions(self, value: Any) -> str:
         return ""
 
     def render_checked(self, record: Any) -> str:
-        return mark_safe(f'<input type="checkbox" name="checked" value="{record.id}">')  # noqa: S308
+        return format_html(
+            '<input type="checkbox" name="checked" value="{}">', record.id
+        )
 
     def order_name(
         self, records: Sequence[Any], is_descending: bool
@@ -406,8 +407,10 @@ class Meta:
         order_by = ("genlab_id",)
 
     def render_checked(self, record: Any) -> str:
-        return mark_safe(  # noqa: S308
-            f'<input type="checkbox" name="checked-{record.order.id}" value="{record.id}">'  # noqa: E501
+        return format_html(
+            '<input type="checkbox" name="checked-{}" value="{}">',
+            record.order.id,
+            record.id,
         )
 
 
@@ -481,8 +484,10 @@ class Meta:
         empty_text = "No Samples"
 
     def render_checked(self, record: SampleMarkerAnalysis) -> str:
-        return mark_safe(  # noqa: S308
-            f'<input type="checkbox" name="checked-analysis-{record.order.id}" value="{record.id}">'  # noqa: E501
+        return format_html(
+            '<input type="checkbox" name="checked-analysis-{}" value="{}">',
+            record.order.id,
+            record.id,
         )
 
 
diff --git a/src/staff/templatetags/order_tags.py b/src/staff/templatetags/order_tags.py
index ee15442b..fe9e0aee 100644
--- a/src/staff/templatetags/order_tags.py
+++ b/src/staff/templatetags/order_tags.py
@@ -41,10 +41,11 @@ def responsible_staff_multiselect(order: Order | None = None) -> dict:
 def generate_order_links(orders: list) -> str:
     if not orders:
         return "-"
-    links = [
-        f'<a href="{order.get_absolute_staff_url()}">{order}</a>' for order in orders
-    ]
-    return mark_safe(", ".join(links))  # noqa: S308
+    return format_html_join(
+        ", ",
+        "<a href='{}'>{}</a>",
+        ((order.get_absolute_staff_url(), str(order)) for order in orders),
+    )
 
 
 def render_boolean(value: bool) -> str:
@@ -336,21 +337,26 @@ def analysis_order_detail_table(order: Order) -> dict:
 
 @register.inclusion_tag("../templates/components/order-detail.html")
 def analysis_order_samples_detail_table(order: Order, extraction_orders: dict) -> dict:
-    # Generate links for extraction orders with sample counts
-    extraction_order_links = [
-        f"{generate_order_links([extraction_order])} ({count} sample{'s' if count != 1 else ''})"  # noqa: E501
-        for extraction_order, count in extraction_orders.items()
-    ]
+    extraction_order_links = format_html_join(
+        "<br>",
+        "{} ({})",
+        (
+            (
+                generate_order_links([extraction_order]),
+                f"{count} sample{'s' if count > 1 else ''}",
+            )
+            for extraction_order, count in extraction_orders.items()
+        ),
+    )
 
     fields = {
         "Number of samples": order.samples.count(),
         "Markers": ", ".join(marker.name for marker in order.markers.all())
         if order.markers.exists()
         else "No markers",
-        "Samples from extraction order": mark_safe("<br>".join(extraction_order_links))  # noqa: S308
-        if extraction_order_links
-        else "-",
+        "Samples from extraction order": extraction_order_links or "-",
     }
+
     return {
         "fields": fields,
         "header": "Samples",