Escape object name to avoid XSS, issue #3

2014-06-29 20:10:39 -04:00
parent 316a79c440
commit 1f7b6cac79
1 changed files with 2 additions and 1 deletions
--- a/mayan/apps/history/widgets.py
+++ b/mayan/apps/history/widgets.py
@@ -1,10 +1,11 @@
+from django.utils.html import escape
 from django.utils.safestring import mark_safe


 def history_entry_object_link(entry):
    return mark_safe(u'<a href="%(url)s">%(label)s</a>' % {
        'url': entry.content_object.get_absolute_url() if entry.content_object else u'#',
-        'label': unicode(entry.content_object) if entry.content_object else u''}
+        'label': escape(unicode(entry.content_object)) if entry.content_object else u''}
    )