do not use safe in template

that can cause wrong escaping and generally is considered unsafe
This commit is contained in:
Matthias 2021-08-01 01:41:46 +02:00
parent c0921fc7ce
commit 55762f2a96
2 changed files with 5 additions and 4 deletions

View File

@ -20,6 +20,7 @@ from djmoney.contrib.exchange.models import convert_money
from djmoney.contrib.exchange.exceptions import MissingRate
from django.utils.translation import ugettext_lazy as _
from django.utils.html import format_html
from django.core.validators import MinValueValidator, URLValidator
from django.core.exceptions import ValidationError
@ -94,7 +95,7 @@ class BaseInvenTreeSetting(models.Model):
# Wrap strings with quotes
else:
value = f"'{value}'"
value = format_html("'{}'", value)
setting["value"] = value

View File

@ -6,12 +6,12 @@
var user_settings = {
{% for setting in USER_SETTINGS %}
{{ setting.key }}: {{ setting.value|safe }},
{{ setting.key }}: {{ setting.value }},
{% endfor %}
};
var global_settings = {
{% for setting in GLOBAL_SETTINGS %}
{{ setting.key }}: {{ setting.value|safe }},
{{ setting.key }}: {{ setting.value }},
{% endfor %}
};