Merge "Fix multiple Cross-Site Scripting (XSS) vulnerabilities" into stable/havana
This commit is contained in:
commit
8a5f091cfa
|
@ -51,8 +51,15 @@ horizon.instances = {
|
||||||
$(this.get_network_element("")).each(function(){
|
$(this.get_network_element("")).each(function(){
|
||||||
var $this = $(this);
|
var $this = $(this);
|
||||||
var $input = $this.children("input");
|
var $input = $this.children("input");
|
||||||
|
var name = $this.text().replace(/^\s+/,"")
|
||||||
|
.replace(/&/g, '&')
|
||||||
|
.replace(/</g, '<')
|
||||||
|
.replace(/>/g, '>')
|
||||||
|
.replace(/"/g, '"')
|
||||||
|
.replace(/'/g, ''')
|
||||||
|
.replace(/\//g, '/');
|
||||||
var network_property = {
|
var network_property = {
|
||||||
name:$this.text().replace(/^\s+/,""),
|
name:name,
|
||||||
id:$input.attr("id"),
|
id:$input.attr("id"),
|
||||||
value:$input.attr("value")
|
value:$input.attr("value")
|
||||||
};
|
};
|
||||||
|
|
|
@ -585,7 +585,9 @@ class Cell(html.HTMLElement):
|
||||||
link_classes = ' '.join(self.column.link_classes)
|
link_classes = ' '.join(self.column.link_classes)
|
||||||
# Escape the data inside while allowing our HTML to render
|
# Escape the data inside while allowing our HTML to render
|
||||||
data = mark_safe('<a href="%s" class="%s">%s</a>' %
|
data = mark_safe('<a href="%s" class="%s">%s</a>' %
|
||||||
(self.url, link_classes, escape(data)))
|
(escape(self.url),
|
||||||
|
escape(link_classes),
|
||||||
|
escape(data)))
|
||||||
return data
|
return data
|
||||||
|
|
||||||
@property
|
@property
|
||||||
|
|
|
@ -161,7 +161,8 @@ class AddMembersLink(tables.LinkAction):
|
||||||
class UsersTable(tables.DataTable):
|
class UsersTable(tables.DataTable):
|
||||||
name = tables.Column('name', verbose_name=_('User Name'))
|
name = tables.Column('name', verbose_name=_('User Name'))
|
||||||
email = tables.Column('email', verbose_name=_('Email'),
|
email = tables.Column('email', verbose_name=_('Email'),
|
||||||
filters=[defaultfilters.urlize])
|
filters=[defaultfilters.escape,
|
||||||
|
defaultfilters.urlize])
|
||||||
id = tables.Column('id', verbose_name=_('User ID'))
|
id = tables.Column('id', verbose_name=_('User ID'))
|
||||||
enabled = tables.Column('enabled', verbose_name=_('Enabled'),
|
enabled = tables.Column('enabled', verbose_name=_('Enabled'),
|
||||||
status=True,
|
status=True,
|
||||||
|
|
|
@ -117,7 +117,8 @@ class UsersTable(tables.DataTable):
|
||||||
)
|
)
|
||||||
name = tables.Column('name', verbose_name=_('User Name'))
|
name = tables.Column('name', verbose_name=_('User Name'))
|
||||||
email = tables.Column('email', verbose_name=_('Email'),
|
email = tables.Column('email', verbose_name=_('Email'),
|
||||||
filters=[defaultfilters.urlize])
|
filters=[defaultfilters.escape,
|
||||||
|
defaultfilters.urlize])
|
||||||
# Default tenant is not returned from Keystone currently.
|
# Default tenant is not returned from Keystone currently.
|
||||||
#default_tenant = tables.Column('default_tenant',
|
#default_tenant = tables.Column('default_tenant',
|
||||||
# verbose_name=_('Default Project'))
|
# verbose_name=_('Default Project'))
|
||||||
|
|
|
@ -12,6 +12,7 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from django.core import urlresolvers
|
||||||
from django.http import Http404 # noqa
|
from django.http import Http404 # noqa
|
||||||
from django.template.defaultfilters import timesince # noqa
|
from django.template.defaultfilters import timesince # noqa
|
||||||
from django.template.defaultfilters import title # noqa
|
from django.template.defaultfilters import title # noqa
|
||||||
|
@ -94,11 +95,16 @@ class StacksTable(tables.DataTable):
|
||||||
row_actions = (DeleteStack, )
|
row_actions = (DeleteStack, )
|
||||||
|
|
||||||
|
|
||||||
|
def get_resource_url(obj):
|
||||||
|
return urlresolvers.reverse('horizon:project:stacks:resource',
|
||||||
|
args=(obj.stack_id, obj.resource_name))
|
||||||
|
|
||||||
|
|
||||||
class EventsTable(tables.DataTable):
|
class EventsTable(tables.DataTable):
|
||||||
|
|
||||||
logical_resource = tables.Column('resource_name',
|
logical_resource = tables.Column('resource_name',
|
||||||
verbose_name=_("Stack Resource"),
|
verbose_name=_("Stack Resource"),
|
||||||
link=lambda d: d.resource_name,)
|
link=get_resource_url)
|
||||||
physical_resource = tables.Column('physical_resource_id',
|
physical_resource = tables.Column('physical_resource_id',
|
||||||
verbose_name=_("Resource"),
|
verbose_name=_("Resource"),
|
||||||
link=mappings.resource_to_url)
|
link=mappings.resource_to_url)
|
||||||
|
@ -142,7 +148,7 @@ class ResourcesTable(tables.DataTable):
|
||||||
|
|
||||||
logical_resource = tables.Column('resource_name',
|
logical_resource = tables.Column('resource_name',
|
||||||
verbose_name=_("Stack Resource"),
|
verbose_name=_("Stack Resource"),
|
||||||
link=lambda d: d.resource_name)
|
link=get_resource_url)
|
||||||
physical_resource = tables.Column('physical_resource_id',
|
physical_resource = tables.Column('physical_resource_id',
|
||||||
verbose_name=_("Resource"),
|
verbose_name=_("Resource"),
|
||||||
link=mappings.resource_to_url)
|
link=mappings.resource_to_url)
|
||||||
|
|
|
@ -75,6 +75,9 @@ class StackEventsTab(tabs.Tab):
|
||||||
stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
|
stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
|
||||||
events = api.heat.events_list(self.request, stack_identifier)
|
events = api.heat.events_list(self.request, stack_identifier)
|
||||||
LOG.debug('got events %s' % events)
|
LOG.debug('got events %s' % events)
|
||||||
|
# The stack id is needed to generate the resource URL.
|
||||||
|
for event in events:
|
||||||
|
event.stack_id = stack.id
|
||||||
except Exception:
|
except Exception:
|
||||||
events = []
|
events = []
|
||||||
messages.error(request, _(
|
messages.error(request, _(
|
||||||
|
@ -95,6 +98,9 @@ class StackResourcesTab(tabs.Tab):
|
||||||
stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
|
stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
|
||||||
resources = api.heat.resources_list(self.request, stack_identifier)
|
resources = api.heat.resources_list(self.request, stack_identifier)
|
||||||
LOG.debug('got resources %s' % resources)
|
LOG.debug('got resources %s' % resources)
|
||||||
|
# The stack id is needed to generate the resource URL.
|
||||||
|
for r in resources:
|
||||||
|
r.stack_id = stack.id
|
||||||
except Exception:
|
except Exception:
|
||||||
resources = []
|
resources = []
|
||||||
messages.error(request, _(
|
messages.error(request, _(
|
||||||
|
|
Loading…
Reference in New Issue