From bcbd7927b3995e8b6c25c97fa9443b98d71e5a22 Mon Sep 17 00:00:00 2001
From: David Kennedy <david.kennedy@associates.cisa.dhs.gov>
Date: Fri, 19 Jan 2024 14:59:52 -0500
Subject: [PATCH] more linting to account for mark_safe html

---
 src/registrar/admin.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/registrar/admin.py b/src/registrar/admin.py
index 57836ca9f..033d13c2d 100644
--- a/src/registrar/admin.py
+++ b/src/registrar/admin.py
@@ -21,6 +21,7 @@ from auditlog.models import LogEntry  # type: ignore
 from auditlog.admin import LogEntryAdmin  # type: ignore
 from django_fsm import TransitionNotAllowed  # type: ignore
 from django.utils.safestring import mark_safe
+from django.utils.html import escape
 
 logger = logging.getLogger(__name__)
 
@@ -490,8 +491,11 @@ class ContactAdmin(ListHeaderAdmin):
 
         if related_objects:
             for url, obj in related_objects:
-                message = f"Joined to {obj.__class__.__name__}: <a href='{url}'>{obj}</a>"
-                message_html = mark_safe(message)
+                escaped_obj = escape(obj)
+                message = f"Joined to {obj.__class__.__name__}: <a href='{url}'>{escaped_obj}</a>"
+                # message_html is considered safe html. It is generated from a finite list of strings
+                # which are generated from django objects. And a django object, which is escaped
+                message_html = mark_safe(message)  # nosec
                 messages.warning(
                     request,
                     message_html,