mirror of
https://github.com/inventree/InvenTree
synced 2024-08-30 18:33:04 +00:00
do not use safe in template
that can cause wrong escaping and generally is considered unsafe
This commit is contained in:
parent
c0921fc7ce
commit
55762f2a96
@ -20,6 +20,7 @@ from djmoney.contrib.exchange.models import convert_money
|
||||
from djmoney.contrib.exchange.exceptions import MissingRate
|
||||
|
||||
from django.utils.translation import ugettext_lazy as _
|
||||
from django.utils.html import format_html
|
||||
from django.core.validators import MinValueValidator, URLValidator
|
||||
from django.core.exceptions import ValidationError
|
||||
|
||||
@ -94,7 +95,7 @@ class BaseInvenTreeSetting(models.Model):
|
||||
|
||||
# Wrap strings with quotes
|
||||
else:
|
||||
value = f"'{value}'"
|
||||
value = format_html("'{}'", value)
|
||||
|
||||
setting["value"] = value
|
||||
|
||||
|
@ -6,12 +6,12 @@
|
||||
|
||||
var user_settings = {
|
||||
{% for setting in USER_SETTINGS %}
|
||||
{{ setting.key }}: {{ setting.value|safe }},
|
||||
{{ setting.key }}: {{ setting.value }},
|
||||
{% endfor %}
|
||||
};
|
||||
|
||||
var global_settings = {
|
||||
{% for setting in GLOBAL_SETTINGS %}
|
||||
{{ setting.key }}: {{ setting.value|safe }},
|
||||
{{ setting.key }}: {{ setting.value }},
|
||||
{% endfor %}
|
||||
};
|
Loading…
Reference in New Issue
Block a user