FIX: Correctly escape category description text (PR #8107)

This bug has been introduced in db14e10943aeb87f3a2e06f02ca788986f039077.


You’ve signed the CLA, CvX. Thank you! This pull request is ready for review.

Are we 100% sure that description is safe?

The description here is returned by Category#description_text that has been updated in this PR to escape unsafe characters. The return value is cached there, but that’s a thread-local cache, so there’s no need to worry about stale/unsafe data.

I see, kinda confusing… Would have been better to call that variable “descriptionText

Agree. I’m changing that.

This comment removes the automat html_safe calls regardless of what is being looked up, but the commit seems to focus on description only. Does this mean it’s possible other fields that were previously escaped would no longer be?

It’s actually a duplicate. We’re already calling html_safe in Theme.lookup_field.

ping @davidtaylorhq :slightly_smiling_face:

Looks good to me :grinning:

1 Like