Escape HTML in deck names in the deck list

Due to the way the deck list is constructed in Python, this could lead to the execution of script tags. Thanks to Tyler Butler for the report.
2025-09-21 15:32:23 -04:00 · 2023-01-26 10:48:49 +10:00 · 2023-01-26 10:48:49 +10:00 · 5a1c29a818
commit 5a1c29a818
parent 21cd4f2f17
1 changed files with 2 additions and 1 deletions
--- a/qt/aqt/deckbrowser.py
+++ b/qt/aqt/deckbrowser.py
@ -3,6 +3,7 @@

 from __future__ import annotations

+import html
 from copy import deepcopy
 from dataclasses import dataclass
 from typing import Any
@ -230,7 +231,7 @@ class DeckBrowser:
            collapse,
            extraclass,
            node.deck_id,
-            node.name,
+            html.escape(node.name),
        )
        # due counts
        def nonzeroColour(cnt: int, klass: str) -> str: