Correct escaping for HTML display of row links

2025-12-10 16:51:24 +01:00 · 2018-04-15 22:48:30 +01:00 · 2018-04-15 22:48:30 +01:00 · b231d4243d
commit b231d4243d
parent aaf59db570
2 changed files with 15 additions and 9 deletions
--- a/datasette/app.py
+++ b/datasette/app.py
@ -524,10 +524,11 @@ class RowTableShared(BaseView):
                cells.append({
                    'column': 'Link',
                    'value': jinja2.Markup(
-                        '<a href="/{database}/{table}/{flat_pks}">{flat_pks}</a>'.format(
+                        '<a href="/{database}/{table}/{flat_pks_quoted}">{flat_pks}</a>'.format(
                            database=database,
                            table=urllib.parse.quote_plus(table),
-                            flat_pks=path_from_row_pks(row, pks, not pks),
+                            flat_pks=str(jinja2.escape(path_from_row_pks(row, pks, not pks, False))),
+                            flat_pks_quoted=path_from_row_pks(row, pks, not pks)
                        )
                    ),
                })