From 45328b629b7e7e5c20a2cb8f6abf22f32f0c4d6c Mon Sep 17 00:00:00 2001
From: Pablo Vazquez <venomgfx@gmail.com>
Date: Tue, 8 Nov 2016 18:25:23 +0100
Subject: [PATCH] Escape html when building jstree

---
 pillar/web/utils/jstree.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/pillar/web/utils/jstree.py b/pillar/web/utils/jstree.py
index 5abe8894..8de4e918 100644
--- a/pillar/web/utils/jstree.py
+++ b/pillar/web/utils/jstree.py
@@ -1,3 +1,5 @@
+from flask import Markup
+
 from pillarsdk import Node
 from pillarsdk.exceptions import ForbiddenAccess
 from pillarsdk.exceptions import ResourceNotFound
@@ -5,7 +7,6 @@ from flask_login import current_user
 
 from pillar.web import system_util
 
-
 GROUP_NODES = {'group', 'storage', 'group_texture', 'group_hdri'}
 
 
@@ -20,7 +21,7 @@ def jstree_parse_node(node, children=None):
     parsed_node = dict(
         id="n_{0}".format(node._id),
         a_attr={ "href" : url_for_node(node=node) },
-        text=node.name,
+        text=Markup.escape(node.name),
         type=node_type,
         children=False)
     # Append children property only if it is a directory type
@@ -68,7 +69,7 @@ def jstree_get_children(node_id, project_id=None):
 def jstree_build_children(node):
     return dict(
         id="n_{0}".format(node._id),
-        text=node.name,
+        text=Markup.escape(node.name),
         type=node.node_type,
         children=jstree_get_children(node._id)
     )