fix xss vulnerability - escape html in column_editable_list values

f447db0c · Paul Brown · 691a1c98 · f447db0c
Commit f447db0c authored Aug 20, 2015 by Paul Brown
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

widgets.py flask_admin/model/widgets.py +3 -1

No files found.
--- a/flask_admin/model/widgets.py
+++ b/flask_admin/model/widgets.py
 from flask import json
+from jinja2 import escape
 from wtforms.widgets import HTMLString, html_params

 from flask_admin._compat import as_unicode
@@ -92,7 +93,8 @@ class XEditableWidget(object):
        kwargs = self.get_kwargs(subfield, kwargs)

        return HTMLString(
-            '<a %s>%s</a>' % (html_params(**kwargs), kwargs['data-value'])
+            '<a %s>%s</a>' % (html_params(**kwargs),
+                              escape(kwargs['data-value']))
        )

    def get_kwargs(self, subfield, kwargs):