From 5efc493542416052c7a338a10b386a3c097bd0a1 Mon Sep 17 00:00:00 2001 From: Emmanuel Viennet Date: Wed, 15 Sep 2021 22:31:16 +0200 Subject: [PATCH] Escape html read-only values --- app/scodoc/TrivialFormulator.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/app/scodoc/TrivialFormulator.py b/app/scodoc/TrivialFormulator.py index ebe5c52a..eacbfd78 100644 --- a/app/scodoc/TrivialFormulator.py +++ b/app/scodoc/TrivialFormulator.py @@ -8,6 +8,7 @@ v 1.3 (python3) """ +import html def TrivialFormulator( @@ -722,7 +723,9 @@ var {field}_as = new bsn.AutoSuggest('{field}', {field}_opts); if str(descr["allowed_values"][i]) == str(self.values[field]): R.append('%s' % labels[i]) elif input_type == "textarea": - R.append('
%s
' % self.values[field]) + R.append( + '
%s
' % html.escape(self.values[field]) + ) elif input_type == "separator" or input_type == "hidden": pass elif input_type == "file":