GitHub/Anki
1
0
Fork 0
mirror of https://github.com/ankitects/anki.git synced 2025-09-21 23:42:23 -04:00
Code Issues Projects Releases Packages 1 Wiki Activity Actions

Escape HTML in deck names in the deck list

Browse source 
Due to the way the deck list is constructed in Python, this could lead
to the execution of script tags. Thanks to Tyler Butler for the report.
This commit is contained in:
Damien Elmes 2023-01-26 10:48:49 +10:00
parent 21cd4f2f17
commit 5a1c29a818
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
qt/aqt/deckbrowser.py
View file

@ -3,6 +3,7 @@
from __future__ import annotations from __future__ import annotations
import html
from copy import deepcopy from copy import deepcopy
from dataclasses import dataclass from dataclasses import dataclass
from typing import Any from typing import Any
@ -230,7 +231,7 @@ class DeckBrowser:
collapse, collapse,
extraclass, extraclass,
node.deck_id, node.deck_id,
node.name, html.escape(node.name),
) )
# due counts # due counts
def nonzeroColour(cnt: int, klass: str) -> str: def nonzeroColour(cnt: int, klass: str) -> str: