Closes #1061: Escape all messages by default (complements #1062)

2024-05-10 07:54:54 +00:00 · 2017-04-10 10:54:35 -04:00
parent 3b48a270fc
commit cf5be85dad
2 changed files with 4 additions and 3 deletions
--- a/netbox/templates/_base.html
+++ b/netbox/templates/_base.html
@ -273,7 +273,7 @@
 	    		<button type="button" class="close" data-dismiss="alert" aria-label="Close">
 	    			<span aria-hidden="true">&times;</span>
 	    		</button>
-	    		{{ message|safe }}
+	    		{{ message }}
 	    	</div>
 	    {% endfor %}
 		{% block content %}{% endblock %}
--- a/netbox/utilities/views.py
+++ b/netbox/utilities/views.py
@ -14,6 +14,7 @@ from django.shortcuts import get_object_or_404, redirect, render
 from django.template import TemplateSyntaxError
 from django.utils.html import escape
 from django.utils.http import is_safe_url
+from django.utils.safestring import mark_safe
 from django.views.generic import View

 from extras.forms import CustomFieldForm
@ -198,7 +199,7 @@ class ObjectEditView(View):
                msg = u'{} <a href="{}">{}</a>'.format(msg, obj.get_absolute_url(), escape(obj))
            else:
                msg = u'{} {}'.format(msg, escape(obj))
-            messages.success(request, msg)
+            messages.success(request, mark_safe(msg))
            if obj_created:
                UserAction.objects.log_create(request.user, obj, msg)
            else:
@ -267,7 +268,7 @@ class ObjectDeleteView(View):
                handle_protectederror(obj, request, e)
                return redirect(obj.get_absolute_url())

-            msg = u'Deleted {} {}'.format(self.model._meta.verbose_name, escape(obj))
+            msg = u'Deleted {} {}'.format(self.model._meta.verbose_name, obj)
            messages.success(request, msg)
            UserAction.objects.log_delete(request.user, obj, msg)