From 05374eee5286ef1cfb8d85f7576c822cea8983a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Wed, 3 Aug 2022 11:58:21 +0200
Subject: [PATCH] backoffice: escape labels in form admin pages (#67907)

---
 tests/admin_pages/test_form.py | 11 +++++++++--
 wcs/admin/forms.py             |  4 ++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/tests/admin_pages/test_form.py b/tests/admin_pages/test_form.py
index 50d6e99f0..7dce77de7 100644
--- a/tests/admin_pages/test_form.py
+++ b/tests/admin_pages/test_form.py
@@ -848,11 +848,18 @@ def test_form_workflow_role(pub):
     assert FormDef.get(1).workflow_roles == {'_receiver': '1'}
 
     # check it doesn't fail if a second role with the same name exists
-    role = pub.role_class(name='foobar')
-    role.store()
+    role2 = pub.role_class(name='foobar')
+    role2.store()
     resp = app.get('/backoffice/forms/1/')
     resp = resp.click(href='role/_receiver')
 
+    # check HTML is escaped
+    role.name = 'foo<strong>bar</strong>'
+    role.store()
+    resp = app.get('/backoffice/forms/1/')
+    assert 'foo<strong>bar</strong>' not in resp.text
+    assert 'foo&lt;strong&gt;bar&lt;/strong&gt;' in resp.text
+
 
 def test_form_workflow_options(pub):
     create_superuser(pub)
diff --git a/wcs/admin/forms.py b/wcs/admin/forms.py
index 9cb91aaef..4dbf9ca34 100644
--- a/wcs/admin/forms.py
+++ b/wcs/admin/forms.py
@@ -21,7 +21,7 @@ from collections import defaultdict
 
 from quixote import get_publisher, get_request, get_response, get_session, redirect
 from quixote.directory import AccessControlled, Directory
-from quixote.html import TemplateIO, htmltext
+from quixote.html import TemplateIO, htmlescape, htmltext
 
 from wcs.backoffice.snapshots import SnapshotsDirectory
 from wcs.carddef import CardDef
@@ -672,7 +672,7 @@ class FormDefPage(Directory):
                 'popup': 'popup' if popup else '',
                 'link': link,
                 'label': label,
-                'current_value': current_value,
+                'current_value': htmlescape(current_value),
             }
         )