From baba943e623ba5d1f12f579e87d04c6cb65fb061 Mon Sep 17 00:00:00 2001
From: Alexandre Avenel <avenel.alexandre@gmail.com>
Date: Thu, 16 Feb 2017 23:11:30 +0100
Subject: Fix xss (#173)

Fix #173
Rewrite multi select widget as a template in order to have all values properly escaped.
---
 budget/templates/list_bills.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'budget/templates/list_bills.html')

diff --git a/budget/templates/list_bills.html b/budget/templates/list_bills.html
index 9421650..a9af4de 100644
--- a/budget/templates/list_bills.html
+++ b/budget/templates/list_bills.html
@@ -107,7 +107,7 @@
         <thead><tr><th>{{ _("When?") }}</th><th>{{ _("Who paid?") }}</th><th>{{ _("For what?") }}</th><th>{{ _("For whom?") }}</th><th>{{ _("How much?") }}</th><th>{{ _("Actions") }}</th></tr></thead>
     <tbody>
     {% for bill in bills %}
-    <tr owers={{bill.owers|join(',','id')}} payer={{bill.payer.id}}>
+    <tr owers="{{bill.owers|join(',','id')}}" payer="{{bill.payer.id}}">
             <td>{{ bill.date }}</td>
             <td>{{ bill.payer }}</td>
             <td>{{ bill.what }}</td>
-- 
cgit v1.1