From 135543683db21d2856f5b12311b348e7061ff743 Mon Sep 17 00:00:00 2001
From: jeremystretch <jstretch@ns1.com>
Date: Mon, 8 Aug 2022 10:24:49 -0400
Subject: [PATCH] Changelog for #9919

---
 docs/release-notes/version-3.2.md | 1 +
 netbox/netbox/tables/columns.py   | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/release-notes/version-3.2.md b/docs/release-notes/version-3.2.md
index 1c7eb79e8..d13e8db75 100644
--- a/docs/release-notes/version-3.2.md
+++ b/docs/release-notes/version-3.2.md
@@ -20,6 +20,7 @@
 * [#9884](https://github.com/netbox-community/netbox/issues/9884) - Prevent querying assigned VRF on prefix object init
 * [#9885](https://github.com/netbox-community/netbox/issues/9885) - Fix child prefix counts when editing/deleting aggregates in bulk
 * [#9891](https://github.com/netbox-community/netbox/issues/9891) - Ensure consistent ordering for tags during object serialization
+* [#9919](https://github.com/netbox-community/netbox/issues/9919) - Fix potential XSS avenue via linked objects in tables
 
 ---
 
diff --git a/netbox/netbox/tables/columns.py b/netbox/netbox/tables/columns.py
index e176b9af7..f78b9f37c 100644
--- a/netbox/netbox/tables/columns.py
+++ b/netbox/netbox/tables/columns.py
@@ -442,9 +442,9 @@ class CustomFieldColumn(tables.Column):
         if self.customfield.type == CustomFieldTypeChoices.TYPE_MULTISELECT:
             return ', '.join(v for v in value)
         if self.customfield.type == CustomFieldTypeChoices.TYPE_MULTIOBJECT:
-            return mark_safe(', '.join([
+            return mark_safe(', '.join(
                 self._likify_item(obj) for obj in self.customfield.deserialize(value)
-            ]))
+            ))
         if value is not None:
             obj = self.customfield.deserialize(value)
             return mark_safe(self._likify_item(obj))