Merge pull request #1002 from pawl/fix_xss_2

fix xss vulnerability - escape html in column_editable_list values

Merge pull request #1002 from pawl/fix_xss_2
fix xss vulnerability - escape html in column_editable_list values
dcc9dd6d · Serge S. Koval · a00b716a · f447db0c · dcc9dd6d
Commit dcc9dd6d authored Aug 22, 2015 by Serge S. Koval
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

widgets.py flask_admin/model/widgets.py +3 -1

No files found.
--- a/flask_admin/model/widgets.py
+++ b/flask_admin/model/widgets.py
 from flask import json
+from jinja2 import escape
 from wtforms.widgets import HTMLString, html_params
 from flask_admin._compat import as_unicode
@@ -92,7 +93,8 @@ class XEditableWidget(object):
        kwargs = self.get_kwargs(subfield, kwargs)
        return HTMLString(
-            '<a %s>%s</a>' % (html_params(**kwargs), kwargs['data-value'])
+            '<a %s>%s</a>' % (html_params(**kwargs),
+                              escape(kwargs['data-value']))
        )
    def get_kwargs(self, subfield, kwargs):