HTML escaping hotfix part 2 - always escape target

AppraiseDev · Aug 9, 2024 · 869669e · 869669e
1 parent 163adf5
commit 869669e
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/EvalView/templates/EvalView/direct-assessment-document-mqm-esa.html b/EvalView/templates/EvalView/direct-assessment-document-mqm-esa.html
@@ -77,11 +77,12 @@
         <div class="source-box">
             <div class="tutorial-text"></div>
             <div class="source-text">
+                <!-- TODO: this means that HTML can be injected, incorrect! -->
                 {{ item.sourceText|safe }}
             </div>
 
             <div class="target-text">
-                {{item.targetText|safe}}
+                {{item.targetText}}
             </div>
         </div>