Added HTML Sanitization to the custom fields

netbox/netbox/tables/columns.py

@@ -1,4 +1,5 @@
 from dataclasses import dataclass
+from glob import escape
 from typing import Optional
 
 import django_tables2 as tables
@@ -433,21 +434,21 @@ class CustomFieldColumn(tables.Column):
 
     def render(self, value):
         if self.customfield.type == CustomFieldTypeChoices.TYPE_BOOLEAN and value is True:
-            return mark_safe('<i class="mdi mdi-check-bold text-success"></i>')
+            return escape('<i class="mdi mdi-check-bold text-success"></i>')
         if self.customfield.type == CustomFieldTypeChoices.TYPE_BOOLEAN and value is False:
-            return mark_safe('<i class="mdi mdi-close-thick text-danger"></i>')
+            return escape('<i class="mdi mdi-close-thick text-danger"></i>')
         if self.customfield.type == CustomFieldTypeChoices.TYPE_URL:
-            return mark_safe(f'<a href="{value}">{value}</a>')
+            return escape(f'<a href="{value}">{value}</a>')
         if self.customfield.type == CustomFieldTypeChoices.TYPE_MULTISELECT:
             return ', '.join(v for v in value)
         if self.customfield.type == CustomFieldTypeChoices.TYPE_MULTIOBJECT:
-            return mark_safe(', '.join([
+            return escape(', '.join([
                 self._likify_item(obj) for obj in self.customfield.deserialize(value)
             ]))
         if value is not None:
             obj = self.customfield.deserialize(value)
-            return mark_safe(self._likify_item(obj))
-        return self.default
+            return escape(self._likify_item(obj))
+        return escape(self.default)
 
     def value(self, value):
         if isinstance(value, list):