From baba943e623ba5d1f12f579e87d04c6cb65fb061 Mon Sep 17 00:00:00 2001
From: Alexandre Avenel <avenel.alexandre@gmail.com>
Date: Thu, 16 Feb 2017 23:11:30 +0100
Subject: Fix xss (#173)

Fix #173
Rewrite multi select widget as a template in order to have all values properly escaped.
---
 budget/forms.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'budget/forms.py')

diff --git a/budget/forms.py b/budget/forms.py
index adf3de7..ac181ec 100644
--- a/budget/forms.py
+++ b/budget/forms.py
@@ -118,7 +118,7 @@ class BillForm(Form):
     payer = SelectField(_("Payer"), validators=[Required()], coerce=int)
     amount = CommaDecimalField(_("Amount paid"), validators=[Required()])
     payed_for = SelectMultipleField(_("For whom?"),
-            validators=[Required()], widget=select_multi_checkbox, coerce=int)
+            validators=[Required()], coerce=int)
     submit = SubmitField(_("Submit"))
     submit2 = SubmitField(_("Submit and add a new one"))
 
-- 
cgit v1.1