Escape html read-only values

This commit is contained in:
Emmanuel Viennet 2021-09-15 22:31:16 +02:00
parent a34dd656be
commit 5efc493542

View File

@ -8,6 +8,7 @@
v 1.3 (python3) v 1.3 (python3)
""" """
import html
def TrivialFormulator( def TrivialFormulator(
@ -722,7 +723,9 @@ var {field}_as = new bsn.AutoSuggest('{field}', {field}_opts);
if str(descr["allowed_values"][i]) == str(self.values[field]): if str(descr["allowed_values"][i]) == str(self.values[field]):
R.append('<span class="tf-ro-value">%s</span>' % labels[i]) R.append('<span class="tf-ro-value">%s</span>' % labels[i])
elif input_type == "textarea": elif input_type == "textarea":
R.append('<div class="tf-ro-textarea">%s</div>' % self.values[field]) R.append(
'<div class="tf-ro-textarea">%s</div>' % html.escape(self.values[field])
)
elif input_type == "separator" or input_type == "hidden": elif input_type == "separator" or input_type == "hidden":
pass pass
elif input_type == "file": elif input_type == "file":