From 55762f2a96c9bc58c1b95c0851d8d4fdc99c23db Mon Sep 17 00:00:00 2001 From: Matthias Date: Sun, 1 Aug 2021 01:41:46 +0200 Subject: [PATCH] do not use safe in template that can cause wrong escaping and generally is considered unsafe --- InvenTree/common/models.py | 5 +++-- InvenTree/templates/js/dynamic/settings.js | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/InvenTree/common/models.py b/InvenTree/common/models.py index 38dcce28d9..5d75a4dd74 100644 --- a/InvenTree/common/models.py +++ b/InvenTree/common/models.py @@ -20,6 +20,7 @@ from djmoney.contrib.exchange.models import convert_money from djmoney.contrib.exchange.exceptions import MissingRate from django.utils.translation import ugettext_lazy as _ +from django.utils.html import format_html from django.core.validators import MinValueValidator, URLValidator from django.core.exceptions import ValidationError @@ -91,10 +92,10 @@ class BaseInvenTreeSetting(models.Model): # Numerical values remain the same elif cls.validator_is_int(validator): pass - + # Wrap strings with quotes else: - value = f"'{value}'" + value = format_html("'{}'", value) setting["value"] = value diff --git a/InvenTree/templates/js/dynamic/settings.js b/InvenTree/templates/js/dynamic/settings.js index 4cc824ed6c..ad4e297c4a 100644 --- a/InvenTree/templates/js/dynamic/settings.js +++ b/InvenTree/templates/js/dynamic/settings.js @@ -6,12 +6,12 @@ var user_settings = { {% for setting in USER_SETTINGS %} - {{ setting.key }}: {{ setting.value|safe }}, + {{ setting.key }}: {{ setting.value }}, {% endfor %} }; var global_settings = { {% for setting in GLOBAL_SETTINGS %} - {{ setting.key }}: {{ setting.value|safe }}, + {{ setting.key }}: {{ setting.value }}, {% endfor %} }; \ No newline at end of file