From 5a1c29a818c9fc94cf0124a452c7473e7b1c79fb Mon Sep 17 00:00:00 2001
From: Damien Elmes <gpg@ankiweb.net>
Date: Thu, 26 Jan 2023 10:48:49 +1000
Subject: [PATCH] Escape HTML in deck names in the deck list

Due to the way the deck list is constructed in Python, this could lead
to the execution of script tags. Thanks to Tyler Butler for the report.
---
 qt/aqt/deckbrowser.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/qt/aqt/deckbrowser.py b/qt/aqt/deckbrowser.py
index d5f4ffca3..3bcb82025 100644
--- a/qt/aqt/deckbrowser.py
+++ b/qt/aqt/deckbrowser.py
@@ -3,6 +3,7 @@
 
 from __future__ import annotations
 
+import html
 from copy import deepcopy
 from dataclasses import dataclass
 from typing import Any
@@ -230,7 +231,7 @@ class DeckBrowser:
             collapse,
             extraclass,
             node.deck_id,
-            node.name,
+            html.escape(node.name),
         )
         # due counts
         def nonzeroColour(cnt: int, klass: str) -> str: