filters: Escape State names when generating selector HTML

Message ID	20190705032741.22930-1-ajd@linux.ibm.com
State	Accepted
Headers	show Return-Path: <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org> Gateway: Authorized Use Only! Violators will be prosecuted for <patchwork@lists.ozlabs.org> from <ajd@linux.ibm.com>; Fri, 5 Jul 2019 04:28:25 +0100 Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Fri, 5 Jul 2019 04:28:24 +0100 From: Andrew Donnellan <ajd@linux.ibm.com> To: patchwork@lists.ozlabs.org Subject: [PATCH] filters: Escape State names when generating selector HTML Date: Fri, 5 Jul 2019 13:27:41 +1000 MIME-Version: 1.0 Message-Id: <20190705032741.22930-1-ajd@linux.ibm.com> Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Patchwork" <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
Series	filters: Escape State names when generating selector HTML \| expand filters: Escape State names when generating selector HTML

Message ID

20190705032741.22930-1-ajd@linux.ibm.com

State

Accepted

Headers

From: Andrew Donnellan <ajd@linux.ibm.com>
To: patchwork@lists.ozlabs.org
Subject: [PATCH] filters: Escape State names when generating selector HTML
Date: Fri,  5 Jul 2019 13:27:41 +1000
MIME-Version: 1.0
Message-Id: <20190705032741.22930-1-ajd@linux.ibm.com>
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Patchwork"
	<patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Series

filters: Escape State names when generating selector HTML | expand

Commit Message

Andrew Donnellan July 5, 2019, 3:27 a.m. UTC

States with names containing special characters are not correctly escaped
when generating the select list. Use escape() to fix this.

Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
---
 patchwork/filters.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Daniel Axtens July 5, 2019, 5:01 a.m. UTC | #1

Thanks, applied.

Andrew Donnellan <ajd@linux.ibm.com> writes:

> States with names containing special characters are not correctly escaped
> when generating the select list. Use escape() to fix this.
>
> Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
> ---
>  patchwork/filters.py | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/patchwork/filters.py b/patchwork/filters.py
> index e2d2f5958dd4..fb644f982136 100644
> --- a/patchwork/filters.py
> +++ b/patchwork/filters.py
> @@ -262,7 +262,7 @@ class StateFilter(Filter):
>                  selected = ' selected="true"'
>  
>              out += '<option value="%d" %s>%s</option>' % (
> -                state.id, selected, state.name)
> +                state.id, selected, escape(state.name))
>          out += '</select>'
>          return mark_safe(out)
>  
> -- 
> 2.20.1
>
> _______________________________________________
> Patchwork mailing list
> Patchwork@lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/patchwork

diff --git a/patchwork/filters.py b/patchwork/filters.py
index e2d2f5958dd4..fb644f982136 100644
--- a/patchwork/filters.py
+++ b/patchwork/filters.py
@@ -262,7 +262,7 @@  class StateFilter(Filter):
                 selected = ' selected="true"'
 
             out += '<option value="%d" %s>%s</option>' % (
-                state.id, selected, state.name)
+                state.id, selected, escape(state.name))
         out += '</select>'
         return mark_safe(out)