From 195ea53eaaf360c19227c864cc0fe58910032c3c Mon Sep 17 00:00:00 2001
From: Alexander Todorov <atodorov@otb.bg>
Date: Fri, 30 Jun 2023 15:30:05 +0300
Subject: [PATCH] Sanitize test plan name in tree_view_html()

---
 tcms/testplans/models.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tcms/testplans/models.py b/tcms/testplans/models.py
index 67ffc3e1f7..ef8f25cc1d 100644
--- a/tcms/testplans/models.py
+++ b/tcms/testplans/models.py
@@ -9,6 +9,7 @@
 
 from tcms.core.history import KiwiHistoricalRecords
 from tcms.core.models.base import UrlMixin
+from tcms.core.templatetags.extra_filters import bleach_input
 from tcms.management.models import Version
 from tcms.testcases.models import TestCasePlan
 
@@ -213,6 +214,7 @@ def tree_view_html(self):
             if test_plan.pk == self.pk:
                 active_class = "active"
 
+            plan_name = bleach_input(test_plan.name)
             result += f"""
                 <!-- begin-node -->
                 <div class="list-group-item {active_class}" style="border: none">
@@ -228,7 +230,7 @@ def tree_view_html(self):
                                 <div class="list-view-pf-description">
                                     <div class="list-group-item-text">
                                         <a href="{test_plan.get_absolute_url()}">
-                                            TP-{test_plan.pk}: {test_plan.name}
+                                            TP-{test_plan.pk}: {plan_name}
                                         </a>
                                     </div>
                                 </div>