]> review.fuel-infra Code Review - openstack-build/horizon-build.git/blob
Code Review / openstack-build / horizon-build.git / blob
? search:


20eab6070a39dfb68a1599499963240ed31892a4
[openstack-build/horizon-build.git] /
1 Description: CVE-2013-6858: Fix bug by escaping strings from Nova before displaying them
2 Author: Rob Raymond <rob.raymond@hp.com>
3 Origin: https://review.openstack.org/#/c/58465/
4 Date: Mon, 4 Nov 2013 19:12:40 +0000 (-0700)
5 X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=6179f70290783e55b10bbd4b3b7ee74db3f8ef70
6 Bug-Ubuntu: Bug-Ubuntu: https://launchpad.net/bugs/1247675
7 Bug-Debian: Bug-Debian: http://bugs.debian.org/730752
8
9 diff --git a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
10 index 17008f5..e5a3c69 100644
11 --- a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
12 +++ b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
13 @@ -15,6 +15,7 @@
14  #    under the License.
15  
16  from django.core.urlresolvers import reverse  # noqa
17 +from django.utils import html
18  from django.utils.http import urlencode  # noqa
19  from django.utils import safestring
20  from django.utils.translation import ugettext_lazy as _  # noqa
21 @@ -66,6 +67,7 @@ class SnapshotVolumeNameColumn(tables.Column):
22          volume = snapshot._volume
23          if volume:
24              volume_name = volume.display_name or volume.id
25 +            volume_name = html.escape(volume_name)
26          else:
27              volume_name = _("Unknown")
28          return safestring.mark_safe(volume_name)
29 diff --git a/openstack_dashboard/dashboards/project/volumes/tables.py b/openstack_dashboard/dashboards/project/volumes/tables.py
30 index c84bf00..f993f18 100644
31 --- a/openstack_dashboard/dashboards/project/volumes/tables.py
32 +++ b/openstack_dashboard/dashboards/project/volumes/tables.py
33 @@ -17,7 +17,7 @@
34  from django.core.urlresolvers import NoReverseMatch  # noqa
35  from django.core.urlresolvers import reverse  # noqa
36  from django.template.defaultfilters import title  # noqa
37 -from django.utils.html import strip_tags  # noqa
38 +from django.utils import html
39  from django.utils import safestring
40  from django.utils.translation import string_concat  # noqa
41  from django.utils.translation import ugettext_lazy as _  # noqa
42 @@ -125,7 +125,7 @@ def get_attachment_name(request, attachment):
43                                           "attachment information."))
44      try:
45          url = reverse("horizon:project:instances:detail", args=(server_id,))
46 -        instance = '<a href="%s">%s</a>' % (url, name)
47 +        instance = '<a href="%s">%s</a>' % (url, html.escape(name))
48      except NoReverseMatch:
49          instance = name
50      return instance
51 @@ -146,7 +146,7 @@ class AttachmentColumn(tables.Column):
52              # without the server name...
53              instance = get_attachment_name(request, attachment)
54              vals = {"instance": instance,
55 -                    "dev": attachment["device"]}
56 +                    "dev": html.escape(attachment["device"])}
57              attachments.append(link % vals)
58          return safestring.mark_safe(", ".join(attachments))
59  
60 @@ -249,7 +249,7 @@ class AttachmentsTable(tables.DataTable):
61      def get_object_display(self, attachment):
62          instance_name = get_attachment_name(self.request, attachment)
63          vals = {"dev": attachment['device'],
64 -                "instance_name": strip_tags(instance_name)}
65 +                "instance_name": html.escape(instance_name)}
66          return _("%(dev)s on instance %(instance_name)s") % vals
67  
68      def get_object_by_id(self, obj_id):