added spammy to the test content set and protected code from such input

author: Evgeny Fadeev <evgeny.fadeev@gmail.com> 2012-06-16 03:27:20 -0400
committer: Evgeny Fadeev <evgeny.fadeev@gmail.com> 2012-06-16 03:27:20 -0400
commit: 073bedd716fca9c4d08175ec1cc6947c87ad0636 (patch)
tree: 87032f8324e5b65c9ee79fd2c4edc6c5be28f5bf /askbot/utils/html.py
parent: 7cafe4b7a02c79f574862f7abbb56c194734fee0 (diff)
download: askbot-073bedd716fca9c4d08175ec1cc6947c87ad0636.tar.gz
askbot-073bedd716fca9c4d08175ec1cc6947c87ad0636.tar.bz2
askbot-073bedd716fca9c4d08175ec1cc6947c87ad0636.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/askbot/utils/html.py b/askbot/utils/html.py
index 1ce3ad35..2e3c1913 100644
--- a/askbot/utils/html.py
+++ b/askbot/utils/html.py
@@ -5,6 +5,7 @@ import re
 import htmlentitydefs
 from urlparse import urlparse
 from django.core.urlresolvers import reverse
+from django.utils.html import escape
 
 class HTMLSanitizerMixin(sanitizer.HTMLSanitizerMixin):
     acceptable_elements = ('a', 'abbr', 'acronym', 'address', 'b', 'big',
@@ -62,7 +63,7 @@ def site_link(url_name, title):
     from askbot.conf import settings
     base_url = urlparse(settings.APP_URL)
     url = base_url.scheme + '://' + base_url.netloc + reverse(url_name)
-    return '<a href="%s">%s</a>' % (url, title)
+    return '<a href="%s">%s</a>' % (url, escape(title))
 
 def unescape(text):
     """source: http://effbot.org/zone/re-sub.htm#unescape-html
author	Evgeny Fadeev <evgeny.fadeev@gmail.com>	2012-06-16 03:27:20 -0400
committer	Evgeny Fadeev <evgeny.fadeev@gmail.com>	2012-06-16 03:27:20 -0400
commit	073bedd716fca9c4d08175ec1cc6947c87ad0636 (patch)
tree	87032f8324e5b65c9ee79fd2c4edc6c5be28f5bf /askbot/utils/html.py
parent	7cafe4b7a02c79f574862f7abbb56c194734fee0 (diff)
download	askbot-073bedd716fca9c4d08175ec1cc6947c87ad0636.tar.gz askbot-073bedd716fca9c4d08175ec1cc6947c87ad0636.tar.bz2 askbot-073bedd716fca9c4d08175ec1cc6947c87ad0636.zip