* New upstream release (packaging 15th commit since 2015.1.0: e63af6c598):
- CVE-2015-3219: Fixes XSS in Horizon Heat stack creation (Closes: #788306)
* Fixed double entry in openstack-dashboard.triggers.
+ * Dropped patch applied upstream:
+ - Persistent_XSS_in_Horizon_metadata_dashboard.patch
-- Thomas Goirand <zigo@debian.org> Mon, 08 Jun 2015 16:26:13 +0200
+++ /dev/null
-Description: Sanitation of metadata passed from Django
- We need to escape HTML in metadata passed from Django, which can lead to
- security issues. Refer to the bug for more details.
-From: Thai Tran <tqtran@us.ibm.com>
-Date: Fri, 1 May 2015 17:25:29 +0000 (-0700)
-X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=a0101fe34abcb95012d215d4ba8f908632ba9876
-Co-Authored-By: Szymon Wroblewski <szymon.wroblewski@intel.com>
-Change-Id: I4821eacb0bb274befab7995f3a8f87c82d3997f5
-Bug-Ubuntu: https://bugs.launchpad.net/horizon/+bug/1449260
-Bug-Debian: https://bugs.debian.org/786741
-Origin: https://review.openstack.org/#/c/183656/
-
-diff --git a/horizon/templates/horizon/common/_modal_form_update_metadata.html b/horizon/templates/horizon/common/_modal_form_update_metadata.html
-index 1c8e1c9..1123247 100644
---- a/horizon/templates/horizon/common/_modal_form_update_metadata.html
-+++ b/horizon/templates/horizon/common/_modal_form_update_metadata.html
-@@ -11,8 +11,8 @@
- existing="existing"
- model="tree"></hz-metadata-tree>
- <script type="text/javascript">
-- var existing_metadata = {{ existing_metadata|safe }};
-- var available_metadata = {{ available_metadata|safe }};
-+ var existing_metadata = JSON.parse('{{ existing_metadata|escapejs }}');
-+ var available_metadata = JSON.parse('{{ available_metadata|escapejs }}');
- </script>
- {% endblock %}
-
Code Review / openstack-build / horizon-build.git / commitdiff