From 101531b45c16a54e56e9eb10127bc1722cc3dc78 Mon Sep 17 00:00:00 2001
From: Damien Elmes <gpg@ankiweb.net>
Date: Thu, 26 Jan 2023 10:48:49 +1000
Subject: [PATCH] Escape HTML in deck names in the deck list

Due to the way the deck list is constructed in Python, this could lead
to the execution of script tags. Thanks to Tyler Butler for the report.
---
 qt/aqt/deckbrowser.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/qt/aqt/deckbrowser.py b/qt/aqt/deckbrowser.py
index d5f4ffca3..3bcb82025 100644
--- a/qt/aqt/deckbrowser.py
+++ b/qt/aqt/deckbrowser.py
@@ -3,6 +3,7 @@
 
 from __future__ import annotations
 
+import html
 from copy import deepcopy
 from dataclasses import dataclass
 from typing import Any
@@ -230,7 +231,7 @@ class DeckBrowser:
             collapse,
             extraclass,
             node.deck_id,
-            node.name,
+            html.escape(node.name),
         )
         # due counts
         def nonzeroColour(cnt: int, klass: str) -> str: