Escape admin history delta changes

ddabble · ddabble · commit f4cfa343a762 · 2024-02-19T00:07:03.000+01:00
diff --git a/simple_history/admin.py b/simple_history/admin.py
@@ -12,7 +12,7 @@
 from django.template.defaultfilters import truncatechars
 from django.urls import re_path, reverse
 from django.utils.encoding import force_str
-from django.utils.html import mark_safe
+from django.utils.html import mark_safe, conditional_escape
 from django.utils.text import capfirst
 from django.utils.translation import gettext as _
 
@@ -126,10 +126,12 @@ def format_history_delta_change(self, change: ModelChange) -> dict:
         the object history page.
         """
         field_meta = self.model._meta.get_field(change.field)
+        old = conditional_escape(change.old)
+        new = conditional_escape(change.new)
         return {
             "field": capfirst(field_meta.verbose_name),
-            "old": truncatechars(change.old, self.max_displayed_history_change_chars),
-            "new": truncatechars(change.new, self.max_displayed_history_change_chars),
+            "old": truncatechars(old, self.max_displayed_history_change_chars),
+            "new": truncatechars(new, self.max_displayed_history_change_chars),
         }
 
     def response_change(self, request, obj):
