do not use safe in template

that can cause wrong escaping and generally is considered unsafe

InvenTree/common/models.py

@@ -20,6 +20,7 @@ from djmoney.contrib.exchange.models import convert_money
 from djmoney.contrib.exchange.exceptions import MissingRate
 
 from django.utils.translation import ugettext_lazy as _
+from django.utils.html import format_html
 from django.core.validators import MinValueValidator, URLValidator
 from django.core.exceptions import ValidationError
 
@@ -94,7 +95,7 @@ class BaseInvenTreeSetting(models.Model):
 
             # Wrap strings with quotes
             else:
-                value = f"'{value}'"
+                value = format_html("'{}'", value)
 
             setting["value"] = value
 

InvenTree/templates/js/dynamic/settings.js

@@ -6,12 +6,12 @@
 
 var user_settings = {
     {% for setting in USER_SETTINGS %}
-    {{ setting.key }}: {{ setting.value|safe }},
+    {{ setting.key }}: {{ setting.value }},
     {% endfor %}
 };
 
 var global_settings = {
     {% for setting in GLOBAL_SETTINGS %}
-    {{ setting.key }}: {{ setting.value|safe }},
+    {{ setting.key }}: {{ setting.value }},
     {% endfor %}
 };