Mercurial > personas_backend
changeset 174:3fe6eb21636d
For security purposes, we now escape any HTML contained in a Persona's description.
| author | Atul Varma <varmaa@toolness.com> |
|---|---|
| date | Wed, 16 Apr 2008 17:38:52 -0700 |
| parents | 65c14ecad14c |
| children | 5d57a0f3e820 |
| files | personasbackend/personas/models.py personasbackend/personas/templates/personas/list.html |
| diffstat | 2 files changed, 2 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/personasbackend/personas/models.py Wed Apr 16 17:34:34 2008 -0700 +++ b/personasbackend/personas/models.py Wed Apr 16 17:38:52 2008 -0700 @@ -265,7 +265,7 @@ ) description = models.TextField( - help_text = "HTML is allowed.", + help_text = "A short description of the Persona.", blank=False, )
--- a/personasbackend/personas/templates/personas/list.html Wed Apr 16 17:34:34 2008 -0700 +++ b/personasbackend/personas/templates/personas/list.html Wed Apr 16 17:38:52 2008 -0700 @@ -24,7 +24,7 @@ </span> {% endif %} </div> - <div class="persona-desc">{{ persona.description|safe }}</div> + <div class="persona-desc">{{ persona.description }}</div> {% comment %} TODO: This doesn't obey DRY; we should figure out a way around this. Ideally, we should be able to do the equivalent of 'if