#7612: Use escape() rather than strip_tags()

netbox/extras/models/customfields.py

@@ -7,7 +7,7 @@ from django.contrib.postgres.fields import ArrayField
 from django.core.validators import RegexValidator, ValidationError
 from django.db import models
 from django.urls import reverse
-from django.utils.html import strip_tags
+from django.utils.html import escape
 from django.utils.safestring import mark_safe
 
 from extras.choices import *
@@ -288,7 +288,7 @@ class CustomField(ChangeLoggedModel):
         field.model = self
         field.label = str(self)
         if self.description:
-            field.help_text = strip_tags(self.description)
+            field.help_text = escape(self.description)
 
         return field
 

netbox/templates/inc/custom_fields_panel.html

@@ -8,7 +8,7 @@
                 <table class="table table-hover attr-table">
                     {% for field, value in custom_fields.items %}
                         <tr>
-                            <td><span title="{{ field.description|striptags }}">{{ field }}</span></td>
+                            <td><span title="{{ field.description|escape }}">{{ field }}</span></td>
                             <td>
                                 {% if field.type == 'boolean' and value == True %}
                                     <i class="mdi mdi-check-bold text-success" title="True"></i>