From 6604e333cc93883541e5b6caf11a6d00c61e8195 Mon Sep 17 00:00:00 2001
From: t-ragilalbadrun <t-ragil.albadrun@traveloka.com>
Date: Thu, 1 Aug 2019 18:47:29 +0700
Subject: [PATCH] Escape change name

---
 backend/app/views/main.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/backend/app/views/main.py b/backend/app/views/main.py
index bdb7cb2..9d27fcf 100644
--- a/backend/app/views/main.py
+++ b/backend/app/views/main.py
@@ -1,3 +1,4 @@
+import html
 from flask import (
     Blueprint,
     current_app as app,
@@ -84,7 +85,7 @@ def delete_user_schedule(user_id, user_schedule_id):
 def rename_user_schedule(user_id, user_schedule_id):
     data = request.json
     user_schedule = UserSchedule.objects(id=user_schedule_id).first()
-    user_schedule.name = data["name"]
+    user_schedule.name = html.escape(data["name"])
     user_schedule.save()
     return (jsonify({
         'user_schedule': user_schedule.serialize()
-- 
GitLab