From 39525a1cd0961202eadbfc43e9e3525882d47979 Mon Sep 17 00:00:00 2001
From: Lars Eggert <lars@eggert.org>
Date: Thu, 12 May 2022 20:17:48 +0300
Subject: [PATCH] fix: escape the ballot comments (#3952)

I wonder if other fields that have class `pasted` would need to be escaped, too?
---
 ietf/templates/doc/document_ballot_content.html | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ietf/templates/doc/document_ballot_content.html b/ietf/templates/doc/document_ballot_content.html
index 54f73d8d4..6f0a7685f 100644
--- a/ietf/templates/doc/document_ballot_content.html
+++ b/ietf/templates/doc/document_ballot_content.html
@@ -122,7 +122,7 @@
                                 </div>
                             </div>
                             <div class="card-body">
-                                <pre class="ballot pasted">{{ p.discuss|urlize_ietf_docs|linkify }}</pre>
+                                <pre class="ballot pasted">{{ p.discuss|escape|urlize_ietf_docs|linkify }}</pre>
                             </div>
                         </div>
                     {% endif %}
@@ -148,7 +148,7 @@
                                 </div>
                             </div>
                             <div class="card-body">
-                                <pre class="ballot pasted">{{ p.comment|urlize_ietf_docs|linkify }}</pre>
+                                <pre class="ballot pasted">{{ p.comment|escape|urlize_ietf_docs|linkify }}</pre>
                             </div>
                         </div>
                     {% endif %}
@@ -199,11 +199,11 @@
                         </div>
                         {% if p.pos.blocking and p.discuss %}
                             <div class="card-body">
-                                <pre class="ballot pasted">{{ p.discuss|urlize_ietf_docs|linkify }}</pre>
+                                <pre class="ballot pasted">{{ p.discuss|escape|urlize_ietf_docs|linkify }}</pre>
                             </div>
                         {% else %}
                             <div class="card-body">
-                                <pre class="ballot pasted">{{ p.comment|urlize_ietf_docs|linkify }}</pre>
+                                <pre class="ballot pasted">{{ p.comment|escape|urlize_ietf_docs|linkify }}</pre>
                             </div>
                         {% endif %}
                     </div>