# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2020-09-24 11:11:05
# Node ID 779812b23a5aec5888781ae82d83c69bb7c8ade0
# Parent  8b48fea3957efcdfb54b65e3299e130e9132de48

issue-trackers: fix XSS with description field.

diff --git a/rhodecode/lib/helpers.py b/rhodecode/lib/helpers.py
--- a/rhodecode/lib/helpers.py
+++ b/rhodecode/lib/helpers.py
@@ -1615,7 +1615,7 @@ def _process_url_func(match_obj, repo_na
     # named regex variables
     named_vars.update(match_obj.groupdict())
     _url = string.Template(entry['url']).safe_substitute(**named_vars)
-    desc = string.Template(entry['desc']).safe_substitute(**named_vars)
+    desc = string.Template(escape(entry['desc'])).safe_substitute(**named_vars)
     hovercard_url = string.Template(entry.get('hovercard_url', '')).safe_substitute(**named_vars)
 
     def quote_cleaner(input_str):