Fixes #10089: linkify template filter should escape object representation

2025-07-24 17:38:37 -06:00 · 2022-08-22 11:14:36 -04:00 · 2022-08-22 11:14:36 -04:00 · c14a5973c7
commit c14a5973c7
parent 804c064a7e
2 changed files with 3 additions and 2 deletions
--- a/docs/release-notes/version-3.3.md
+++ b/docs/release-notes/version-3.3.md
@ -10,6 +10,7 @@
 * [#10040](https://github.com/netbox-community/netbox/issues/10040) - Fix exception when ordering prefixes by flat representation
 * [#10053](https://github.com/netbox-community/netbox/issues/10053) - Custom fields header should not be displayed when editing circuit terminations with no custom fields
 * [#10089](https://github.com/netbox-community/netbox/issues/10089) - `linkify` template filter should escape object representation
 ---
--- a/netbox/utilities/templatetags/builtins/filters.py
+++ b/netbox/utilities/templatetags/builtins/filters.py
@ -5,7 +5,7 @@ import re
 import yaml
 from django import template
 from django.contrib.contenttypes.models import ContentType
-from django.utils.html import strip_tags
+from django.utils.html import escape
 from django.utils.safestring import mark_safe
 from markdown import markdown
@ -35,7 +35,7 @@ def linkify(instance, attr=None):
    text = getattr(instance, attr) if attr is not None else str(instance)
    try:
        url = instance.get_absolute_url()
-        return mark_safe(f'<a href="{url}">{text}</a>')
+        return mark_safe(f'<a href="{url}">{escape(text)}</a>')
    except (AttributeError, TypeError):
        return text