[work] filters: Escape State names when generating selector HTML

Submitted by Armin Kuster on July 8, 2019, 3:47 p.m. | Patch ID: 162882

Details

Message ID 1562600836-17458-2-git-send-email-akuster808@gmail.com
State Accepted, archived
Delegated to: Armin Kuster
Headers show

Commit Message

Armin Kuster July 8, 2019, 3:47 p.m.
From: Andrew Donnellan <ajd@linux.ibm.com>

States with names containing special characters are not correctly escaped
when generating the select list. Use escape() to fix this.

Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
(cherry picked from commit b3fa0c402e060622a5ed539a465d2fa98b1d2e13)
Signed-off-by: Daniel Axtens <dja@axtens.net>
[Fixup for 1.16 context, CVE-2019-13122 ]
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 patchwork/filters.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/patchwork/filters.py b/patchwork/filters.py
index 87c904f..b734207 100644
--- a/patchwork/filters.py
+++ b/patchwork/filters.py
@@ -212,7 +212,7 @@  class StateFilter(Filter):
                 selected = ' selected="true"'
 
             str += '<option value="%d" %s>%s</option>' % (
-                state.id, selected, state.name)
+                state.id, selected, escape(state.name))
         str += '</select>'
         return mark_safe(str)