Skip to content

Delete the non-functional suggestions widgetry in recurring event creation#1481

Merged
inducer merged 4 commits intomainfrom
cal-escape
Apr 21, 2026
Merged

Delete the non-functional suggestions widgetry in recurring event creation#1481
inducer merged 4 commits intomainfrom
cal-escape

Conversation

@inducer
Copy link
Copy Markdown
Owner

@inducer inducer commented Apr 20, 2026

Not much of an XSS because the source data is under instructor control.

@inducer inducer requested a review from Copilot April 20, 2026 18:31
Copilot AI reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes unsafe HTML generation in the calendar’s ListTextWidget datalist/options rendering by switching to Django’s HTML formatting helpers, reducing the risk of XSS from unescaped values.

Changes:

  • Use django.utils.html.format_html and format_html_join to build <datalist> and <option> elements with proper escaping.
  • Add HTML formatting utilities import for safe rendering.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread course/calendar.py Outdated
Comment thread course/calendar.py Outdated
@inducer
Copy link
Copy Markdown
Owner Author

inducer commented Apr 20, 2026

@copilot apply changes based on the comments in this thread

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 20, 2026

@copilot apply changes based on the comments in this thread

Implemented in 3a909d2. I applied both review items from that thread: removed mark_safe from ListTextWidget.render() in favor of format_html("{}{}", ...), and added a regression test (ListTextWidgetTest) that verifies unsafe option values/labels are escaped in the rendered datalist output. No UI-visible change, so no screenshot is applicable.

@inducer inducer changed the title Fix missing escaping of calendar data Delete the non-functional suggestions widgetry in recurring event creation Apr 21, 2026
@inducer inducer enabled auto-merge (squash) April 21, 2026 20:50
@inducer inducer merged commit 7630998 into main Apr 21, 2026
18 checks passed
@inducer inducer deleted the cal-escape branch April 21, 2026 21:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@inducer