From b87b1a3801bdeaf76bba7ba6f0ec64cd11ae6de4 Mon Sep 17 00:00:00 2001
From: Lance Edgar <lance@edbob.org>
Date: Fri, 31 May 2024 21:20:45 -0500
Subject: [PATCH] Escape all unsafe html for grid data

---
 tailbone/grids/core.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tailbone/grids/core.py b/tailbone/grids/core.py
index b428aaa6..91c3d1f5 100644
--- a/tailbone/grids/core.py
+++ b/tailbone/grids/core.py
@@ -1651,7 +1651,11 @@ class Grid(object):
                     value = self.obtain_value(rowobj, name)
                 if value is None:
                     value = ""
-                row[name] = str(value)
+
+                # this value will ultimately be inserted into table
+                # cell a la <td v-html="..."> so we must escape it
+                # here to be safe
+                row[name] = HTML.literal.escape(value)
 
             # maybe add UUID for convenience
             if 'uuid' not in self.columns: