diff options
| author | Alexandre Avenel <avenel.alexandre@gmail.com> | 2017-02-16 23:11:30 +0100 |
|---|---|---|
| committer | Alexandre Avenel <avenel.alexandre@gmail.com> | 2017-02-16 23:11:30 +0100 |
| commit | baba943e623ba5d1f12f579e87d04c6cb65fb061 (patch) | |
| tree | 2552c94d2bbee2ae3bb8327e548bc68feb4f1660 /budget/templates/list_bills.html | |
| parent | 3dd7c67ecf5e2c5d21ec387bbd82e0fa3b90ad5b (diff) | |
| download | ihatemoney-mirror-baba943e623ba5d1f12f579e87d04c6cb65fb061.zip ihatemoney-mirror-baba943e623ba5d1f12f579e87d04c6cb65fb061.tar.gz ihatemoney-mirror-baba943e623ba5d1f12f579e87d04c6cb65fb061.tar.bz2 | |
Fix xss (#173)
Fix #173
Rewrite multi select widget as a template in order to have all values properly escaped.
Diffstat (limited to 'budget/templates/list_bills.html')
| -rw-r--r-- | budget/templates/list_bills.html | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/budget/templates/list_bills.html b/budget/templates/list_bills.html index 9421650..a9af4de 100644 --- a/budget/templates/list_bills.html +++ b/budget/templates/list_bills.html @@ -107,7 +107,7 @@ <thead><tr><th>{{ _("When?") }}</th><th>{{ _("Who paid?") }}</th><th>{{ _("For what?") }}</th><th>{{ _("For whom?") }}</th><th>{{ _("How much?") }}</th><th>{{ _("Actions") }}</th></tr></thead> <tbody> {% for bill in bills %} - <tr owers={{bill.owers|join(',','id')}} payer={{bill.payer.id}}> + <tr owers="{{bill.owers|join(',','id')}}" payer="{{bill.payer.id}}"> <td>{{ bill.date }}</td> <td>{{ bill.payer }}</td> <td>{{ bill.what }}</td> |