Fixed an issue which left html meta-characters unescaped in release-notes shown under /release/

levkowetz · levkowetz · commit cd9cb4ad29f1 · 2017-02-25T16:37:15.000Z
- Legacy-Id: 12919
diff --git a/ietf/release/views.py b/ietf/release/views.py
@@ -7,8 +7,10 @@
 from django.shortcuts import render
 from django.conf import settings
 from django.http import HttpResponse
+from django.utils.html import escape
 
 import changelog
+import debug                            # pyflakes:ignore
 
 # workaround for thread import lock problem, http://bugs.python.org/issue7980
 import time                             
@@ -18,7 +20,7 @@ def trac_links(text):
     # changeset links
     text = re.sub(r'\[(\d+)\]', r'<a href="https://wiki.tools.ietf.org/tools/ietfdb/changeset/\1">[\1]</a>', text)
     # issue links
-    text = re.sub(r'#(\d+)', r'<a href="https://wiki.tools.ietf.org/tools/ietfdb/ticket/\1">#\1</a>', text)
+    text = re.sub(r'([^&])#(\d+)', r'\1<a href="https://wiki.tools.ietf.org/tools/ietfdb/ticket/\2">#\2</a>', text)
     return text
 
 
@@ -37,7 +39,7 @@ def release(request, version=None):
     entries = dict((entry.version, entry) for entry in log_entries)
     if version == None or version not in entries:
         version = log_entries[0].version
-    entries[version].logentry = trac_links(entries[version].logentry.strip('\n'))
+    entries[version].logentry = trac_links(escape(entries[version].logentry.strip('\n')))
 
     code_coverage_url = None
     code_coverage_time = None
