Custom fields description allows arbitrary HTML tags

[tombe75]

NetBox version

v3.0.8

Python version

3.8

Steps to Reproduce

1. Add new Custom Field
2. Set description with a HTML tag, e.g. A<h1>B</h1>C
3. Assign to arbitrary model, e.g. circuit.
4. Create a new object of selected model, circuit in this case.
5. Check Custom Fields section when editing new object.

Expected Behavior

Since custom field creation is moved from admin page and could be available to normal users, I expect it to be sanitized from pure HTML.
(If some customization is needed this could be replaced with Markdown)

Observed Behavior

HTML tags gets evaluated.

[kkthxbye-code]

@jeremystretch - I think this solution is incomplete. Instead of strip_tags you should use the escape function from django.utils.html

Otherwise you can still mess up the HTML on the page with something like this:

"><iframe src=httpbin.org

As a sidenote, in cases like these where the fix is not part of a release yet, do you want a new issue, or a comment in the existing issue like this?

[jeremystretch]

As a sidenote, in cases like these where the fix is not part of a release yet, do you want a new issue, or a comment in the existing issue like this?

A follow-up comment is usually fine provided it's a minor adjustment and the change hasn't made it into a release yet. Thanks!