Escape all unsafe html for grid data

2024-05-31 21:20:45 -05:00 · 2024-05-31 21:20:45 -05:00 · b87b1a3801
parent ba519334d1
commit b87b1a3801
1 changed files with 5 additions and 1 deletions
--- a/tailbone/grids/core.py
+++ b/tailbone/grids/core.py
@ -1651,7 +1651,11 @@ class Grid(object):
                    value = self.obtain_value(rowobj, name)
                if value is None:
                    value = ""
-                row[name] = str(value)
+
+                # this value will ultimately be inserted into table
+                # cell a la <td v-html="..."> so we must escape it
+                # here to be safe
+                row[name] = HTML.literal.escape(value)

            # maybe add UUID for convenience
            if 'uuid' not in self.columns: