Fixes #7612: Strip HTML from custom field descriptions

docs/release-notes/version-3.0.md

@@ -2,6 +2,10 @@
 
 ## v3.0.9 (FUTURE)
 
+### Bug Fixes
+
+* [#7612](https://github.com/netbox-community/netbox/issues/7612) - Strip HTML from custom field descriptions
+
 ---
 
 ## v3.0.8 (2021-10-20)

netbox/extras/models/customfields.py

@@ -7,6 +7,7 @@ from django.contrib.postgres.fields import ArrayField
 from django.core.validators import RegexValidator, ValidationError
 from django.db import models
 from django.urls import reverse
+from django.utils.html import strip_tags
 from django.utils.safestring import mark_safe
 
 from extras.choices import *
@@ -287,7 +288,7 @@ class CustomField(ChangeLoggedModel):
         field.model = self
         field.label = str(self)
         if self.description:
-            field.help_text = self.description
+            field.help_text = strip_tags(self.description)
 
         return field
 

netbox/templates/inc/custom_fields_panel.html

@@ -8,7 +8,7 @@
                 <table class="table table-hover attr-table">
                     {% for field, value in custom_fields.items %}
                         <tr>
-                            <td><span title="{{ field.description }}">{{ field }}</span></td>
+                            <td><span title="{{ field.description|striptags }}">{{ field }}</span></td>
                             <td>
                                 {% if field.type == 'boolean' and value == True %}
                                     <i class="mdi mdi-check-bold text-success" title="True"></i>