validation: always escape error messages
The validation object's error messages are intended for display (i.e. HTML rendering). To assert that no user-supplied HTML is ever rendered, escape the error messages as they are passed in. Thanks to Naglis Jonaitis for the report.
This commit is contained in:
parent
d7502248e0
commit
b663dbe7cf
|
@ -1,4 +1,4 @@
|
|||
from markupsafe import Markup
|
||||
from markupsafe import escape, Markup
|
||||
from urllib import parse
|
||||
from enum import Enum, IntEnum
|
||||
import json
|
||||
|
@ -6,7 +6,7 @@ import json
|
|||
class ValidationError:
|
||||
def __init__(self, field, message):
|
||||
self.field = field
|
||||
self.message = message
|
||||
self.message = escape(message)
|
||||
|
||||
def json(self):
|
||||
j = dict()
|
||||
|
|
Loading…
Reference in New Issue