#7612: Use escape() rather than strip_tags()

Author: jeremystretch

netbox/extras/models/customfields.py

@@ -7,7 +7,7 @@
 from django.core.validators import RegexValidator, ValidationError
 from django.db import models
 from django.urls import reverse
-from django.utils.html import strip_tags
+from django.utils.html import escape
 from django.utils.safestring import mark_safe
 
 from extras.choices import *
@@ -288,7 +288,7 @@ def to_form_field(self, set_initial=True, enforce_required=True, for_csv_import=
         field.model = self
         field.label = str(self)
         if self.description:
-            field.help_text = strip_tags(self.description)
+            field.help_text = escape(self.description)
 
         return field
 

netbox/templates/inc/custom_fields_panel.html

@@ -8,7 +8,7 @@ <h5 class="card-header">
                 <table class="table table-hover attr-table">
                     {% for field, value in custom_fields.items %}
                         <tr>
-                            <td><span title="{{ field.description|striptags }}">{{ field }}</span></td>
+                            <td><span title="{{ field.description|escape }}">{{ field }}</span></td>
                             <td>
                                 {% if field.type == 'boolean' and value == True %}
                                     <i class="mdi mdi-check-bold text-success" title="True"></i>