escape filterlist values

Author: furlongm

reports/utils.py

@@ -34,7 +34,9 @@
 from patchman.signals import pbar_start, pbar_update
 from repos.models import Mirror, MirrorPackage, Repository
 from repos.utils import get_or_create_repo
-from util.logging import debug_message, error_message, info_message, warning_message
+from util.logging import (
+    debug_message, error_message, info_message, warning_message,
+)
 
 
 def process_repos(report, host):

util/filterspecs.py

@@ -15,6 +15,7 @@
 # You should have received a copy of the GNU General Public License
 # along with Patchman. If not, see <http://www.gnu.org/licenses/>
 
+from html import escape
 from operator import itemgetter
 
 from django.db.models.query import QuerySet
@@ -70,7 +71,7 @@ def output(self, qs):
                 style = 'list-group-item-success'
             qs[self.name] = k
             output += f'<a href="{get_query_string(qs)}" class='
-            output += f'"list-group-item {style}">{v}</a>\n'
+            output += f'"list-group-item {style}">{escape(str(v))}</a>\n'
         output += '</div></div></div>'
         return output