Closes #16700: Audit usage of mark_safe() for consistent escaping

2026-01-23 20:12:42 -06:00 · 2024-06-24 11:34:46 -04:00
parent 8b62e40874
commit f4ac23d868
8 changed files with 16 additions and 13 deletions
--- a/netbox/utilities/error_handlers.py
+++ b/netbox/utilities/error_handlers.py
@@ -39,7 +39,7 @@ def handle_protectederror(obj_list, request, e):
        if hasattr(dependent, 'get_absolute_url'):
            dependent_objects.append(f'<a href="{dependent.get_absolute_url()}">{escape(dependent)}</a>')
        else:
-            dependent_objects.append(str(dependent))
+            dependent_objects.append(escape(str(dependent)))
    err_message += ', '.join(dependent_objects)

    messages.error(request, mark_safe(err_message))