Escape quotes in jinja variables rendered to JS strings

manisandro · manisandro · commit 7c52e1c63075 · 2025-04-28T19:17:07.000+02:00
diff --git a/src/templates/users/index.html b/src/templates/users/index.html
@@ -16,8 +16,8 @@
 
 {% block resource_actions %}
 <a href="#" class="btn btn-primary" onclick="
-if (confirm('{{ i18n('interface.users.confirm_sendmail', [resource.email]) }}')) {
-location.href = '{{ url_for('sendmail_%s' % endpoint_suffix, id=resource[pkey]) }}';
+if (confirm('{{ i18n('interface.users.confirm_sendmail', [resource.email]).replace("'", "\\'") }}')) {
+location.href = '{{ url_for('sendmail_%s' % endpoint_suffix, id=resource[pkey]).replace("'", "\\'") }}';
 }
 " role="button">
   {{ utils.render_icon('envelope') }} {{ i18n('interface.users.sendmail') }}
