From: Andrew Donnellan <ajd@linux.ibm.com>
Date: Fri, 5 Jul 2019 03:27:41 +0000 (+1000)
Subject: filters: Escape State names when generating selector HTML
X-Git-Tag: v2.0.4~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5c735f49677d30137dab8c2a4e4c8fbd1582b4e4;p=thirdparty%2Fpatchwork.git

filters: Escape State names when generating selector HTML

States with names containing special characters are not correctly escaped
when generating the select list. Use escape() to fix this.

Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
(cherry picked from commit b3fa0c402e060622a5ed539a465d2fa98b1d2e13)
Signed-off-by: Daniel Axtens <dja@axtens.net>
---

diff --git a/patchwork/filters.py b/patchwork/filters.py
index 8d0f82f2..0699e694 100644
--- a/patchwork/filters.py
+++ b/patchwork/filters.py
@@ -252,7 +252,7 @@ class StateFilter(Filter):
                 selected = ' selected="true"'
 
             out += '<option value="%d" %s>%s</option>' % (
-                state.id, selected, state.name)
+                state.id, selected, escape(state.name))
         out += '</select>'
         return mark_safe(out)