fix(views): escape error message in ajax view

58e30e48 · Elouan Martinet · 7e82621d658a · 1790ec0a
Commit 58e30e48 authored May 04, 2021 by Elouan Martinet
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

cubicweb/web/views/ajaxcontroller.py cubicweb/web/views/ajaxcontroller.py +2 -1

No files found.
--- a/cubicweb/web/views/ajaxcontroller.py
+++ b/cubicweb/web/views/ajaxcontroller.py
@@ -66,6 +66,7 @@ from functools import partial
 from datetime import datetime

 from logilab.common.registry import yes
+from logilab.mtconverter import xml_escape

 from cubicweb import ObjectNotFound, NoSelectableObject, ValidationError
 from cubicweb.appobject import AppObject
@@ -116,7 +117,7 @@ class AjaxController(Controller):
        try:
            func = self._cw.vreg['ajax-func'].select(fname, self._cw)
        except ObjectNotFound:
-            raise RemoteCallFailed('no %s method' % fname,
+            raise RemoteCallFailed('no %s method' % xml_escape(fname),
                                   status=http_client.BAD_REQUEST)
        debug_mode = self._cw.vreg.config.debugmode
        # no <arg> attribute means the callback takes no argument