From 1f7b6cac79ebfca9cf1f239cf26ff99fa43dec65 Mon Sep 17 00:00:00 2001
From: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
Date: Sun, 29 Jun 2014 20:10:39 -0400
Subject: [PATCH] Escape object name to avoid XSS, issue #3

---
 mayan/apps/history/widgets.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mayan/apps/history/widgets.py b/mayan/apps/history/widgets.py
index a439a92ebd..8d4c9c160b 100644
--- a/mayan/apps/history/widgets.py
+++ b/mayan/apps/history/widgets.py
@@ -1,10 +1,11 @@
+from django.utils.html import escape
 from django.utils.safestring import mark_safe
 
 
 def history_entry_object_link(entry):
     return mark_safe(u'<a href="%(url)s">%(label)s</a>' % {
         'url': entry.content_object.get_absolute_url() if entry.content_object else u'#',
-        'label': unicode(entry.content_object) if entry.content_object else u''}
+        'label': escape(unicode(entry.content_object)) if entry.content_object else u''}
     )