Sanitation of metadata passed from Django

We need to escape HTML in metadata passed from Django, which
can lead to security issues. Refer to the bug for more details.

Co-Authored-By: Szymon Wroblewski <szymon.wroblewski@intel.com>
Change-Id: I4821eacb0bb274befab7995f3a8f87c82d3997f5
Closes-bug: #1449260
(cherry picked from commit e7f3e0880f)
This commit is contained in:
Thai Tran 2015-05-01 10:25:29 -07:00 committed by Brant Knudson
parent 322a74c13c
commit 30dde70070

View File

@ -11,8 +11,8 @@
existing="existing"
model="tree"></hz-metadata-tree>
<script type="text/javascript">
var existing_metadata = {{ existing_metadata|safe }};
var available_metadata = {{ available_metadata|safe }};
var existing_metadata = JSON.parse('{{ existing_metadata|escapejs }}');
var available_metadata = JSON.parse('{{ available_metadata|escapejs }}');
</script>
{% endblock %}