From c14a5973c7c1f3a1508a4f62ae4b21a918333680 Mon Sep 17 00:00:00 2001
From: jeremystretch <jstretch@ns1.com>
Date: Mon, 22 Aug 2022 11:14:36 -0400
Subject: [PATCH] Fixes #10089: linkify template filter should escape object
 representation

---
 docs/release-notes/version-3.3.md                 | 1 +
 netbox/utilities/templatetags/builtins/filters.py | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/release-notes/version-3.3.md b/docs/release-notes/version-3.3.md
index 382d6c29e..0d61e43be 100644
--- a/docs/release-notes/version-3.3.md
+++ b/docs/release-notes/version-3.3.md
@@ -10,6 +10,7 @@
 
 * [#10040](https://github.com/netbox-community/netbox/issues/10040) - Fix exception when ordering prefixes by flat representation
 * [#10053](https://github.com/netbox-community/netbox/issues/10053) - Custom fields header should not be displayed when editing circuit terminations with no custom fields
+* [#10089](https://github.com/netbox-community/netbox/issues/10089) - `linkify` template filter should escape object representation
 
 ---
 
diff --git a/netbox/utilities/templatetags/builtins/filters.py b/netbox/utilities/templatetags/builtins/filters.py
index bc395e438..6b548a89d 100644
--- a/netbox/utilities/templatetags/builtins/filters.py
+++ b/netbox/utilities/templatetags/builtins/filters.py
@@ -5,7 +5,7 @@ import re
 import yaml
 from django import template
 from django.contrib.contenttypes.models import ContentType
-from django.utils.html import strip_tags
+from django.utils.html import escape
 from django.utils.safestring import mark_safe
 from markdown import markdown
 
@@ -35,7 +35,7 @@ def linkify(instance, attr=None):
     text = getattr(instance, attr) if attr is not None else str(instance)
     try:
         url = instance.get_absolute_url()
-        return mark_safe(f'<a href="{url}">{text}</a>')
+        return mark_safe(f'<a href="{url}">{escape(text)}</a>')
     except (AttributeError, TypeError):
         return text