filters: Escape State names when generating selector HTML

States with names containing special characters are not correctly escaped when generating the select list. Use escape() to fix this. Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
author: Andrew Donnellan <ajd@linux.ibm.com> 2019-07-05 13:27:41 +1000
committer: Daniel Axtens <dja@axtens.net> 2019-07-05 14:50:21 +1000
commit: b3fa0c402e060622a5ed539a465d2fa98b1d2e13 (patch)
tree: 8f3790738f2e99aff427f148d11bbc052395fab2
parent: df80e690bcc32d483875dcb36b488764c89ec9b6 (diff)
download: patchwork-b3fa0c402e060622a5ed539a465d2fa98b1d2e13.tar
patchwork-b3fa0c402e060622a5ed539a465d2fa98b1d2e13.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/patchwork/filters.py b/patchwork/filters.py
index e2d2f59..fb644f9 100644
--- a/patchwork/filters.py
+++ b/patchwork/filters.py
@@ -262,7 +262,7 @@ class StateFilter(Filter):
                 selected = ' selected="true"'
 
             out += '<option value="%d" %s>%s</option>' % (
-                state.id, selected, state.name)
+                state.id, selected, escape(state.name))
         out += '</select>'
         return mark_safe(out)
author	Andrew Donnellan <ajd@linux.ibm.com>	2019-07-05 13:27:41 +1000
committer	Daniel Axtens <dja@axtens.net>	2019-07-05 14:50:21 +1000
commit	b3fa0c402e060622a5ed539a465d2fa98b1d2e13 (patch)
tree	8f3790738f2e99aff427f148d11bbc052395fab2
parent	df80e690bcc32d483875dcb36b488764c89ec9b6 (diff)
download	patchwork-b3fa0c402e060622a5ed539a465d2fa98b1d2e13.tar patchwork-b3fa0c402e060622a5ed539a465d2fa98b1d2e13.tar.gz