From 4db765db24a725294faaaca40ef1b97057c9e7cc Mon Sep 17 00:00:00 2001
From: Tanner Prestegard <tanner.prestegard@ligo.org>
Date: Thu, 19 Jan 2017 12:16:24 -0600
Subject: [PATCH] adding HTML escapes

---
 userprofile/forms.py | 13 +++++++++----
 userprofile/views.py |  5 ++---
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/userprofile/forms.py b/userprofile/forms.py
index dcde06173..ffd13f429 100644
--- a/userprofile/forms.py
+++ b/userprofile/forms.py
@@ -1,6 +1,7 @@
 from django import forms
 from django.utils.safestring import mark_safe
 from django.utils.encoding import force_text
+from django.utils.html import conditional_escape
 from django.forms.utils import ErrorList
 
 from .models import Trigger, Contact
@@ -57,9 +58,11 @@ def process_errors(err):
     out_errs = []
     if isinstance(err,ErrorList):
         for e in err:
-            out_errs.append('<p class="error">{0}</p>'.format(e))
+            out_errs.append('<p class="error">{0}</p>' \
+                .format(conditional_escape(e)))
     elif isinstance(err,str):
-        out_errs.append('<p class="error">{0}</p>'.format(err))
+        out_errs.append('<p class="error">{0}</p>' \
+                .format(conditional_escape(err)))
     else:
         out_errs.append(force_text(err))
 
@@ -68,8 +71,10 @@ def process_errors(err):
 class ContactForm(forms.ModelForm):
     # Adjust labels.
     desc = forms.CharField(label='Description')
-    call_phone = forms.BooleanField(label='Call', initial=False, required=False)
-    text_phone = forms.BooleanField(label='Text', initial=False, required=False)
+    call_phone = forms.BooleanField(label='Call', initial=False,
+                                    required=False)
+    text_phone = forms.BooleanField(label='Text', initial=False,
+                                    required=False)
 
     class Meta:
         model = Contact
diff --git a/userprofile/views.py b/userprofile/views.py
index 80f80d28c..8ebaf766a 100644
--- a/userprofile/views.py
+++ b/userprofile/views.py
@@ -144,10 +144,9 @@ def createContact(request):
     # Explanatory HTML block.
     expl = ['<div style="padding: 10px;">',
             '<h4>Instructions:</h4>',
-            '<ul><li>Description is required.</li>',
+            '<ul><li>A description of your contact is required.</li>',
             '<li>Choose a contact method (e-mail, phone, or both).</li>',
-            ('<li>For phone alerts, mark call, text, or both, depending on how'
-             ' you want to receive the alerts.</li>'),
+            ('<li>For phone alerts, choose call, text, or both.</li>'),
             '</ul></div>'
            ]
     expl = mark_safe("\n".join(expl))
-- 
GitLab