+++ /dev/null
-Description: CVE-2013-6858: Fix bug by escaping strings from Nova before displaying them
-Author: Rob Raymond <rob.raymond@hp.com>
-Origin: https://review.openstack.org/#/c/58465/
-Date: Mon, 4 Nov 2013 19:12:40 +0000 (-0700)
-X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=6179f70290783e55b10bbd4b3b7ee74db3f8ef70
-Bug-Ubuntu: Bug-Ubuntu: https://launchpad.net/bugs/1247675
-Bug-Debian: Bug-Debian: http://bugs.debian.org/730752
-
-diff --git a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
-index 17008f5..e5a3c69 100644
---- a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
-+++ b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
-@@ -15,6 +15,7 @@
- # under the License.
-
- from django.core.urlresolvers import reverse # noqa
-+from django.utils import html
- from django.utils.http import urlencode # noqa
- from django.utils import safestring
- from django.utils.translation import ugettext_lazy as _ # noqa
-@@ -66,6 +67,7 @@ class SnapshotVolumeNameColumn(tables.Column):
- volume = snapshot._volume
- if volume:
- volume_name = volume.display_name or volume.id
-+ volume_name = html.escape(volume_name)
- else:
- volume_name = _("Unknown")
- return safestring.mark_safe(volume_name)
-diff --git a/openstack_dashboard/dashboards/project/volumes/tables.py b/openstack_dashboard/dashboards/project/volumes/tables.py
-index c84bf00..f993f18 100644
---- a/openstack_dashboard/dashboards/project/volumes/tables.py
-+++ b/openstack_dashboard/dashboards/project/volumes/tables.py
-@@ -17,7 +17,7 @@
- from django.core.urlresolvers import NoReverseMatch # noqa
- from django.core.urlresolvers import reverse # noqa
- from django.template.defaultfilters import title # noqa
--from django.utils.html import strip_tags # noqa
-+from django.utils import html
- from django.utils import safestring
- from django.utils.translation import string_concat # noqa
- from django.utils.translation import ugettext_lazy as _ # noqa
-@@ -125,7 +125,7 @@ def get_attachment_name(request, attachment):
- "attachment information."))
- try:
- url = reverse("horizon:project:instances:detail", args=(server_id,))
-- instance = '<a href="%s">%s</a>' % (url, name)
-+ instance = '<a href="%s">%s</a>' % (url, html.escape(name))
- except NoReverseMatch:
- instance = name
- return instance
-@@ -146,7 +146,7 @@ class AttachmentColumn(tables.Column):
- # without the server name...
- instance = get_attachment_name(request, attachment)
- vals = {"instance": instance,
-- "dev": attachment["device"]}
-+ "dev": html.escape(attachment["device"])}
- attachments.append(link % vals)
- return safestring.mark_safe(", ".join(attachments))
-
-@@ -249,7 +249,7 @@ class AttachmentsTable(tables.DataTable):
- def get_object_display(self, attachment):
- instance_name = get_attachment_name(self.request, attachment)
- vals = {"dev": attachment['device'],
-- "instance_name": strip_tags(instance_name)}
-+ "instance_name": html.escape(instance_name)}
- return _("%(dev)s on instance %(instance_name)s") % vals
-
- def get_object_by_id(self, obj_id):
Code Review / openstack-build / horizon-build.git / commitdiff