protect against xss atack

ckanext/dataset_reference/controllers/link_reference.py

@@ -1,8 +1,9 @@
 # encoding: utf-8
 
-from flask import redirect, request, render_template
+from flask import redirect, request, render_template, Markup, escape
 from sqlalchemy.sql.expression import false, true
 from sqlalchemy.sql.operators import all_op
+from yaml import Mark
 import ckan.lib.helpers as h
 import ckan.plugins.toolkit as toolkit
 from ckanext.dataset_reference.models.package_reference_link import PackageReferenceLink
@@ -89,6 +90,8 @@ def get_publication(name):
             return_rows += Helper.create_table_row(meta_data, source.id, Helper.check_access_edit_package(package['id']))
 
         if return_rows != "":
+            return_rows = return_rows.replace("<script>", "")
+            return_rows = return_rows.replace("</script>", "")
             return return_rows
 
         return '0'

ckanext/dataset_reference/libs/helper.py

@@ -11,6 +11,7 @@
 from ckanext.dataset_reference.libs.citation_formatter import CitationFromatter
 from datetime import datetime as _time
 from bibtexparser.bparser import BibTexParser
+from flask import Markup
 
 
 Base_doi_api_url = "http://dx.doi.org/"
@@ -444,7 +445,7 @@ def get_month_list():
     '''
     def create_table_row(meta_data, object_id, is_auth_to_delete):
         row = '<tr>'
-        row = row +  '<td>' +  meta_data['cite'] + '</td>'   
+        row = row +  '<td>' + Markup.striptags(meta_data['cite']) + '</td>'   
         if meta_data['link'] and meta_data['link'] != '':      
             row = row +  '<td><a href="' +  meta_data['link'] + '" target="_blank">Link</a></td>'
         else: