From 093cead83884ee4fbf3967f1f9f8e0b08931e4ad Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Tue, 18 Feb 2025 17:23:50 -0600
Subject: Escape user input used in flashed messages.

---
 uploader/species/views.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'uploader/species')

diff --git a/uploader/species/views.py b/uploader/species/views.py
index f0798d6..9ad5254 100644
--- a/uploader/species/views.py
+++ b/uploader/species/views.py
@@ -117,8 +117,9 @@ def create_species():
         species = save_species(
             conn, common_name, scientific_name, family, taxon_id)
         flash(
-            f"You have successfully added species '{species['scientific_name']} "
-            f"({species['common_name']})'.",
+            f"You have successfully added species "
+            f"'{escape(species['scientific_name'])} "
+            f"({escape(species['common_name'])})'.",
             "alert-success")
 
         return_to = request.form.get("return_to").strip()
-- 
cgit v1.2.3