Mark Lavin avatar Mark Lavin committed b5a5f9d

Conditionally escape results of get_item_id, get_item_value and get_item_label. Fixes #63.

Comments (0)

Files changed (1)

selectable/base.py

 from django.db.models import Q
 from django.utils import simplejson as json
 from django.utils.encoding import smart_unicode
+from django.utils.html import conditional_escape
 from django.utils.translation import ugettext as _
 
 from selectable.forms import BaseLookupForm
 
     def format_item(self, item):
          return {
-            'id': self.get_item_id(item),
-            'value': self.get_item_value(item),
-            'label': self.get_item_label(item)
+            'id': conditional_escape(self.get_item_id(item)),
+            'value': conditional_escape(self.get_item_value(item)),
+            'label': conditional_escape(self.get_item_label(item))
         }
 
     def paginate_results(self, request, results, limit):
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.