+++ /dev/null
-Description: Escape angularjs templating in unsafe HTML
- This code extends the unsafe (typically user-supplied) HTML escape
- built into Django to also escape angularjs templating markers. Safe
- HTML will be unaffected.
-Author: Richard Jones <r1chardj0n3s@gmail.com>
-Origin: upstream, https://review.openstack.org/#/c/329998/
-Date: Tue, 3 May 2016 05:51:49 +0000 (+1000)
-X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=62b4e6f30a7ae7961805abdffdb3c7ae5c2b676a
-Bug-Ubuntu: https://launchpad.net/bugs/1567673
-Bug-Debian: https://bugs.debian.org/828967
-Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7
-Last-Update: 2016-06-29
-
-diff --git a/horizon/utils/escape.py b/horizon/utils/escape.py
-new file mode 100644
-index 0000000..6e27557
---- /dev/null
-+++ b/horizon/utils/escape.py
-@@ -0,0 +1,31 @@
-+# Copyright 2016, Rackspace, US, Inc.
-+#
-+# Licensed under the Apache License, Version 2.0 (the "License");
-+# you may not use this file except in compliance with the License.
-+# You may obtain a copy of the License at
-+#
-+# http://www.apache.org/licenses/LICENSE-2.0
-+#
-+# Unless required by applicable law or agreed to in writing, software
-+# distributed under the License is distributed on an "AS IS" BASIS,
-+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+# See the License for the specific language governing permissions and
-+# limitations under the License.
-+
-+import django.utils.html
-+
-+
-+def escape(text, existing=django.utils.html.escape):
-+ # Replace our angular markup string with a different string
-+ # (which just happens to be the Django comment string)
-+ # this prevents user-supplied data from being intepreted in
-+ # our pages by angularjs, thus preventing it from being used
-+ # for XSS attacks. Note that we use {$ $} instead of the
-+ # standard {{ }} - this is configured in horizon.framework
-+ # angularjs module through $interpolateProvider.
-+ return existing(text).replace('{$', '{%').replace('$}', '%}')
-+
-+
-+# this will be invoked as early as possible in settings.py
-+def monkeypatch_escape():
-+ django.utils.html.escape = escape
-diff --git a/openstack_dashboard/settings.py b/openstack_dashboard/settings.py
-index 8e91132..e96a4df 100644
---- a/openstack_dashboard/settings.py
-+++ b/openstack_dashboard/settings.py
-@@ -29,6 +29,9 @@ from openstack_dashboard.static_settings import find_static_files # noqa
- from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa
- from openstack_dashboard import theme_settings
-
-+from horizon.utils.escape import monkeypatch_escape
-+
-+monkeypatch_escape()
-
- warnings.formatwarning = lambda message, category, *args, **kwargs: \
- '%s: %s' % (category.__name__, message)
-diff --git a/openstack_dashboard/test/settings.py b/openstack_dashboard/test/settings.py
-index 949fa79..fee5aa0 100644
---- a/openstack_dashboard/test/settings.py
-+++ b/openstack_dashboard/test/settings.py
-@@ -18,6 +18,12 @@ from openstack_dashboard import exceptions
- from openstack_dashboard.static_settings import find_static_files # noqa
- from openstack_dashboard.static_settings import get_staticfiles_dirs # noqa
-
-+from horizon.utils.escape import monkeypatch_escape
-+
-+# this is used to protect from client XSS attacks, but it's worth
-+# enabling in our test setup to find any issues it might cause
-+monkeypatch_escape()
-+
- STATICFILES_DIRS = get_staticfiles_dirs()
-
- TEST_DIR = os.path.dirname(os.path.abspath(__file__))
+++ /dev/null
-Description: Fix oslo.utils last version compatibility
- Horizon is checking against port 0, which is now valid in oslo.utils.
- This patch removes the wrong tests.
-Author: Thomas Goirand <zigo@debian.org>
-Forwarded: not-needed
-Last-Update: 2016-07-12
-
---- horizon-10.0.0~b1.orig/horizon/test/tests/utils.py
-+++ horizon-10.0.0~b1/horizon/test/tests/utils.py
-@@ -196,7 +196,7 @@ class ValidatorsTests(test.TestCase):
-
- def test_port_validator(self):
- VALID_PORTS = (1, 65535)
-- INVALID_PORTS = (-1, 0, 65536)
-+ INVALID_PORTS = (-1, 65536)
-
- for port in VALID_PORTS:
- self.assertIsNone(validators.validate_port_range(port))
-@@ -222,8 +222,7 @@ class ValidatorsTests(test.TestCase):
- VALID_RANGE = ('1:65535',
- '1:1')
- INVALID_RANGE = ('22:22:22:22',
-- '1:-1',
-- '0:65535')
-+ '1:-1')
-
- test_call = validators.validate_port_or_colon_separated_port_range
- for prange in VALID_RANGE:
Code Review / openstack-build / horizon-build.git / commitdiff