Escape all unsafe html for grid data

This commit is contained in:
Lance Edgar 2024-05-31 21:20:45 -05:00
parent ba519334d1
commit b87b1a3801

View file

@ -1651,7 +1651,11 @@ class Grid(object):
value = self.obtain_value(rowobj, name) value = self.obtain_value(rowobj, name)
if value is None: if value is None:
value = "" value = ""
row[name] = str(value)
# this value will ultimately be inserted into table
# cell a la <td v-html="..."> so we must escape it
# here to be safe
row[name] = HTML.literal.escape(value)
# maybe add UUID for convenience # maybe add UUID for convenience
if 'uuid' not in self.columns: if 'uuid' not in self.columns: