Escape html when building jstree
This commit is contained in:
@@ -1,3 +1,5 @@
|
|||||||
|
from flask import Markup
|
||||||
|
|
||||||
from pillarsdk import Node
|
from pillarsdk import Node
|
||||||
from pillarsdk.exceptions import ForbiddenAccess
|
from pillarsdk.exceptions import ForbiddenAccess
|
||||||
from pillarsdk.exceptions import ResourceNotFound
|
from pillarsdk.exceptions import ResourceNotFound
|
||||||
@@ -5,7 +7,6 @@ from flask_login import current_user
|
|||||||
|
|
||||||
from pillar.web import system_util
|
from pillar.web import system_util
|
||||||
|
|
||||||
|
|
||||||
GROUP_NODES = {'group', 'storage', 'group_texture', 'group_hdri'}
|
GROUP_NODES = {'group', 'storage', 'group_texture', 'group_hdri'}
|
||||||
|
|
||||||
|
|
||||||
@@ -20,7 +21,7 @@ def jstree_parse_node(node, children=None):
|
|||||||
parsed_node = dict(
|
parsed_node = dict(
|
||||||
id="n_{0}".format(node._id),
|
id="n_{0}".format(node._id),
|
||||||
a_attr={ "href" : url_for_node(node=node) },
|
a_attr={ "href" : url_for_node(node=node) },
|
||||||
text=node.name,
|
text=Markup.escape(node.name),
|
||||||
type=node_type,
|
type=node_type,
|
||||||
children=False)
|
children=False)
|
||||||
# Append children property only if it is a directory type
|
# Append children property only if it is a directory type
|
||||||
@@ -68,7 +69,7 @@ def jstree_get_children(node_id, project_id=None):
|
|||||||
def jstree_build_children(node):
|
def jstree_build_children(node):
|
||||||
return dict(
|
return dict(
|
||||||
id="n_{0}".format(node._id),
|
id="n_{0}".format(node._id),
|
||||||
text=node.name,
|
text=Markup.escape(node.name),
|
||||||
type=node.node_type,
|
type=node.node_type,
|
||||||
children=jstree_get_children(node._id)
|
children=jstree_get_children(node._id)
|
||||||
)
|
)
|
||||||
|
|||||||
Reference in New Issue
Block a user