From 330906001422cc1d525f6a0fd5bdd2e60858d3e9 Mon Sep 17 00:00:00 2001
From: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
Date: Fri, 20 Jun 2014 19:14:40 -0400
Subject: [PATCH] Escape text in CharFields in the DetailForm to avoid XSS,
 issue #3

---
 mayan/apps/common/forms.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/mayan/apps/common/forms.py b/mayan/apps/common/forms.py
index cf3c0fa0ba..009e8b1705 100644
--- a/mayan/apps/common/forms.py
+++ b/mayan/apps/common/forms.py
@@ -9,6 +9,7 @@ from django.contrib.auth.models import User
 from django.contrib.auth.forms import AuthenticationForm
 from django.contrib.auth import authenticate
 from django.conf import settings
+from django.utils.html import escape
 
 from .utils import return_attrib
 from .widgets import (DetailSelectMultiple, PlainWidget, TextAreaDiv,
@@ -30,8 +31,8 @@ class DetailForm(forms.ModelForm):
                 else:
                     self.fields[extra_field['field']] = forms.CharField(
                         label=extra_field['label'],
-                        initial=return_attrib(self.instance,
-                            extra_field['field'], None),
+                        initial=escape(return_attrib(self.instance,
+                            extra_field['field'], None)),
                             widget=PlainWidget)
 
         for field_name, field in self.fields.items():