Escape html read-only values

2021-09-15 22:31:16 +02:00 · 2021-09-15 22:31:16 +02:00 · 5efc493542
parent a34dd656be
commit 5efc493542
1 changed files with 4 additions and 1 deletions
--- a/app/scodoc/TrivialFormulator.py
+++ b/app/scodoc/TrivialFormulator.py
@ -8,6 +8,7 @@

   v 1.3 (python3)
 """
+import html


 def TrivialFormulator(
@ -722,7 +723,9 @@ var {field}_as = new bsn.AutoSuggest('{field}', {field}_opts);
                    if str(descr["allowed_values"][i]) == str(self.values[field]):
                        R.append('<span class="tf-ro-value">%s</span>' % labels[i])
        elif input_type == "textarea":
-            R.append('<div class="tf-ro-textarea">%s</div>' % self.values[field])
+            R.append(
+                '<div class="tf-ro-textarea">%s</div>' % html.escape(self.values[field])
+            )
        elif input_type == "separator" or input_type == "hidden":
            pass
        elif input_type == "file":