filters: Escape State names when generating selector HTML

States with names containing special characters are not correctly escaped
when generating the select list. Use escape() to fix this.

Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
(cherry picked from commit b3fa0c402e060622a5ed539a465d2fa98b1d2e13)
Signed-off-by: Daniel Axtens <dja@axtens.net>

diff --git a/patchwork/filters.py b/patchwork/filters.py
index 2ddeb18d314aa2b74725c8da89c54cfbb217724f..1358cc0be29b75a1081f60f42a96127e842d9a35 100644 (file)
--- a/patchwork/filters.py
+++ b/patchwork/filters.py
@@ -254,7 +254,7 @@ class StateFilter(Filter):
                 selected = ' selected="true"'
 
             out += '<option value="%d" %s>%s</option>' % (
-                state.id, selected, state.name)
+                state.id, selected, escape(state.name))
         out += '</select>'
         return mark_safe(out)