Escape HTML in deck names in the deck list

Due to the way the deck list is constructed in Python, this could lead to the execution of script tags. Thanks to Tyler Butler for the report.
2026-01-14 06:23:57 -05:00 · 2023-01-26 10:48:49 +10:00 · 2023-01-26 10:48:49 +10:00 · 101531b45c
commit 101531b45c
parent 8185ad3d3e
1 changed files with 2 additions and 1 deletions
--- a/qt/aqt/deckbrowser.py
+++ b/qt/aqt/deckbrowser.py
@ -3,6 +3,7 @@

 from __future__ import annotations

+import html
 from copy import deepcopy
 from dataclasses import dataclass
 from typing import Any
@ -230,7 +231,7 @@ class DeckBrowser:
            collapse,
            extraclass,
            node.deck_id,
-            node.name,
+            html.escape(node.name),
        )
        # due counts
        def nonzeroColour(cnt: int, klass: str) -> str: