From 369864574e4099427c4340b9e0db1a84d0c57c77 Mon Sep 17 00:00:00 2001
From: Matthias <matmair@live.de>
Date: Fri, 30 Jul 2021 23:25:45 +0200
Subject: [PATCH 1/5] only include setting in the settings that have a key

---
 InvenTree/common/models.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/InvenTree/common/models.py b/InvenTree/common/models.py
index 54dc21c1b5..38dcce28d9 100644
--- a/InvenTree/common/models.py
+++ b/InvenTree/common/models.py
@@ -58,12 +58,13 @@ class BaseInvenTreeSetting(models.Model):
 
         # Query the database
         for setting in results:
-            settings.append({
-                "key": setting.key.upper(),
-                "value": setting.value
-            })
+            if setting.key:
+                settings.append({
+                    "key": setting.key.upper(),
+                    "value": setting.value
+                })
 
-            keys.add(setting.key.upper())
+                keys.add(setting.key.upper())
 
         # Specify any "default" values which are not in the database
         for key in cls.GLOBAL_SETTINGS.keys():

From 2347f15c2ee05ad6a2dca59bfb6c34846aa15d17 Mon Sep 17 00:00:00 2001
From: Matthias <matmair@live.de>
Date: Sun, 1 Aug 2021 01:05:43 +0200
Subject: [PATCH 2/5] new command to cleanup old settings in db

---
 .../management/commands/clean_settings.py     | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 InvenTree/InvenTree/management/commands/clean_settings.py

diff --git a/InvenTree/InvenTree/management/commands/clean_settings.py b/InvenTree/InvenTree/management/commands/clean_settings.py
new file mode 100644
index 0000000000..9e94497e98
--- /dev/null
+++ b/InvenTree/InvenTree/management/commands/clean_settings.py
@@ -0,0 +1,40 @@
+"""
+Custom management command to cleanup old settings that are not defined anymore
+"""
+
+from django.core.management.base import BaseCommand
+
+
+class Command(BaseCommand):
+    """
+    Cleanup old (undefined) settings in the database
+    """
+
+    def handle(self, *args, **kwargs):
+
+        print("Collecting settings")
+        from common.models import InvenTreeSetting, InvenTreeUserSetting
+
+        # general settings
+        db_settings = InvenTreeSetting.objects.all()
+        model_settings = InvenTreeSetting.GLOBAL_SETTINGS
+
+        # check if key exist and delete if not
+        for setting in db_settings:
+            print(setting.key)
+            if setting.key not in model_settings:
+                setting.delete()
+                print(f"deleted setting '{setting.key}'")
+
+        # user settings
+        db_settings = InvenTreeUserSetting.objects.all()
+        model_settings = InvenTreeUserSetting.GLOBAL_SETTINGS
+
+        # check if key exist and delete if not
+        for setting in db_settings:
+            print(setting.key)
+            if setting.key not in model_settings:
+                setting.delete()
+                print(f"deleted user setting '{setting.key}'")
+
+        print("checked all settings")

From ae8e58ac12bdba8e19136b4563821533f049abac Mon Sep 17 00:00:00 2001
From: Matthias <matmair@live.de>
Date: Sun, 1 Aug 2021 01:06:17 +0200
Subject: [PATCH 3/5] invoke task for celan_settings

---
 tasks.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/tasks.py b/tasks.py
index b78a135b08..a9168f4649 100644
--- a/tasks.py
+++ b/tasks.py
@@ -137,6 +137,14 @@ def rebuild(c):
 
     manage(c, "rebuild_models")
 
+@task
+def clean_settings(c):
+    """
+    Clean the setting tables of old settings
+    """
+
+    manage(c, "clean_settings")
+
 @task
 def migrate(c):
     """
@@ -167,7 +175,7 @@ def static(c):
     manage(c, "collectstatic --no-input")
 
 
-@task(pre=[install, migrate, static])
+@task(pre=[install, migrate, static, clean_settings])
 def update(c):
     """
     Update InvenTree installation.

From c0921fc7cedeef1522a969db9fdc9d61188018d0 Mon Sep 17 00:00:00 2001
From: Matthias <matmair@live.de>
Date: Sun, 1 Aug 2021 01:16:10 +0200
Subject: [PATCH 4/5] removing unneeded prints

---
 InvenTree/InvenTree/management/commands/clean_settings.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/InvenTree/InvenTree/management/commands/clean_settings.py b/InvenTree/InvenTree/management/commands/clean_settings.py
index 9e94497e98..e0fd09e6c7 100644
--- a/InvenTree/InvenTree/management/commands/clean_settings.py
+++ b/InvenTree/InvenTree/management/commands/clean_settings.py
@@ -21,7 +21,6 @@ class Command(BaseCommand):
 
         # check if key exist and delete if not
         for setting in db_settings:
-            print(setting.key)
             if setting.key not in model_settings:
                 setting.delete()
                 print(f"deleted setting '{setting.key}'")
@@ -32,7 +31,6 @@ class Command(BaseCommand):
 
         # check if key exist and delete if not
         for setting in db_settings:
-            print(setting.key)
             if setting.key not in model_settings:
                 setting.delete()
                 print(f"deleted user setting '{setting.key}'")

From 55762f2a96c9bc58c1b95c0851d8d4fdc99c23db Mon Sep 17 00:00:00 2001
From: Matthias <matmair@live.de>
Date: Sun, 1 Aug 2021 01:41:46 +0200
Subject: [PATCH 5/5] do not use safe in template that can cause wrong escaping
 and generally is considered unsafe

---
 InvenTree/common/models.py                 | 5 +++--
 InvenTree/templates/js/dynamic/settings.js | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/InvenTree/common/models.py b/InvenTree/common/models.py
index 38dcce28d9..5d75a4dd74 100644
--- a/InvenTree/common/models.py
+++ b/InvenTree/common/models.py
@@ -20,6 +20,7 @@ from djmoney.contrib.exchange.models import convert_money
 from djmoney.contrib.exchange.exceptions import MissingRate
 
 from django.utils.translation import ugettext_lazy as _
+from django.utils.html import format_html
 from django.core.validators import MinValueValidator, URLValidator
 from django.core.exceptions import ValidationError
 
@@ -91,10 +92,10 @@ class BaseInvenTreeSetting(models.Model):
             # Numerical values remain the same
             elif cls.validator_is_int(validator):
                 pass
-                
+
             # Wrap strings with quotes
             else:
-                value = f"'{value}'"
+                value = format_html("'{}'", value)
 
             setting["value"] = value
 
diff --git a/InvenTree/templates/js/dynamic/settings.js b/InvenTree/templates/js/dynamic/settings.js
index 4cc824ed6c..ad4e297c4a 100644
--- a/InvenTree/templates/js/dynamic/settings.js
+++ b/InvenTree/templates/js/dynamic/settings.js
@@ -6,12 +6,12 @@
 
 var user_settings = {
     {% for setting in USER_SETTINGS %}
-    {{ setting.key }}: {{ setting.value|safe }},
+    {{ setting.key }}: {{ setting.value }},
     {% endfor %}
 };
 
 var global_settings = {
     {% for setting in GLOBAL_SETTINGS %}
-    {{ setting.key }}: {{ setting.value|safe }},
+    {{ setting.key }}: {{ setting.value }},
     {% endfor %}
 };
\ No newline at end of file