use format_html() to build strings returned by custom template tags so that the output is not html escaped

closes #835 svn path=/branches/tk705/; revision=6451
author: Michael Elkins <melkins@tislabs.com> 2016-07-20 04:41:01 +0000
committer: Michael Elkins <melkins@tislabs.com> 2016-07-20 04:41:01 +0000
commit: 2c5d204996586b6d31b91f1201426d7795442b08 (patch)
tree: 90fb4ba4f6ee228d0074cb0628bdb70f0030a3ca /rpki/gui/app
parent: a7c59c31321cdc5297572e504e8ccfab742c7e1f (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/rpki/gui/app/templatetags/app_extras.py b/rpki/gui/app/templatetags/app_extras.py
index 2a7e2fbe..c1ab0da5 100644
--- a/rpki/gui/app/templatetags/app_extras.py
+++ b/rpki/gui/app/templatetags/app_extras.py
@@ -1,5 +1,6 @@
 from django import template
 from rpki.gui.app.models import Conf
+from django.utils.html import format_html
 
 register = template.Library()
 
@@ -23,7 +24,7 @@ css = {
 
 @register.simple_tag
 def validity_label(validity):
-    return '<span class="label %s">%s</span>' % (css.get(validity, ''), validity)
+    return format_html('<span class="label {}">{}</span>', css.get(validity, ''), validity)
 
 
 @register.simple_tag
@@ -54,7 +55,7 @@ def alert_count(conf):
         css_class = css.get(severity)
     else:
         css_class = 'badge-default'
-    return u'<span class="badge %s">%d</span>' % (css_class, unread)
+    return format_html('<span class="badge {}">{}</span>', css_class, unread)
 
 
 @register.simple_tag
author	Michael Elkins <melkins@tislabs.com>	2016-07-20 04:41:01 +0000
committer	Michael Elkins <melkins@tislabs.com>	2016-07-20 04:41:01 +0000
commit	2c5d204996586b6d31b91f1201426d7795442b08 (patch)
tree	90fb4ba4f6ee228d0074cb0628bdb70f0030a3ca /rpki/gui/app
parent	a7c59c31321cdc5297572e504e8ccfab742c7e1f (diff)