From 0b7b8883f40e396e3ffb580c76828dac4f8b4aa9 Mon Sep 17 00:00:00 2001
From: Bach Dániel <bd@ik.bme.hu>
Date: Wed, 10 Sep 2014 10:39:07 +0200
Subject: [PATCH] dashboard: fix xss in autocomplete

---
 circle/dashboard/autocomplete_light_registry.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/circle/dashboard/autocomplete_light_registry.py b/circle/dashboard/autocomplete_light_registry.py
index 3561dc9..a5d5c4f 100644
--- a/circle/dashboard/autocomplete_light_registry.py
+++ b/circle/dashboard/autocomplete_light_registry.py
@@ -1,5 +1,6 @@
 import autocomplete_light
 from django.contrib.auth.models import User
+from django.utils.html import escape
 from django.utils.translation import ugettext as _
 
 from .views import AclUpdateView
@@ -23,10 +24,14 @@ class AclUserGroupAutocomplete(autocomplete_light.AutocompleteGenericBase):
             match = None
         if q and match is not None:
             match_end = match + len(q)
-            return (field[:match] + '<span class="autocomplete-hl">' +
-                    field[match:match_end] + '</span>' + field[match_end:])
+            return (escape(field[:match])
+                    + '<span class="autocomplete-hl">'
+                    + escape(field[match:match_end])
+                    + '</span>' + escape(field[match_end:]))
+        elif none_wo_match:
+            return None
         else:
-            return None if none_wo_match else field
+            return escape(field)
 
     def choice_displayed_text(self, choice):
         q = unicode(self.request.GET.get('q', ''))
--
libgit2 0.26.0