Sanitize test plan name in tree_view_html()

atodorov · atodorov · commit 195ea53eaaf3 · 2023-07-04T16:00:04.000+03:00
diff --git a/tcms/testplans/models.py b/tcms/testplans/models.py
@@ -9,6 +9,7 @@
 
 from tcms.core.history import KiwiHistoricalRecords
 from tcms.core.models.base import UrlMixin
+from tcms.core.templatetags.extra_filters import bleach_input
 from tcms.management.models import Version
 from tcms.testcases.models import TestCasePlan
 
@@ -213,6 +214,7 @@ def tree_view_html(self):
             if test_plan.pk == self.pk:
                 active_class = "active"
 
+            plan_name = bleach_input(test_plan.name)
             result += f"""
                 <!-- begin-node -->
                 <div class="list-group-item {active_class}" style="border: none">
@@ -228,7 +230,7 @@ def tree_view_html(self):
                                 <div class="list-view-pf-description">
                                     <div class="list-group-item-text">
                                         <a href="{test_plan.get_absolute_url()}">
-                                            TP-{test_plan.pk}: {test_plan.name}
+                                            TP-{test_plan.pk}: {plan_name}
                                         </a>
                                     </div>
                                 </div>
