Fix XSS issue with the unordered_list filter

When using the unordered_list filter in a Horizon table (as opposed to
a template directly), autoescaping is not set by default and the input
wasn't sanitised.

Closes-Bug: #1349491
Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec
changes/13/115313/1
Julie Pichon 8 years ago
parent df782fc2b5
commit 96c6cdaa08
  1. 8
      openstack_dashboard/dashboards/admin/info/tables.py

@ -127,6 +127,10 @@ def get_metadata(aggregate):
in aggregate.metadata.iteritems()]
def safe_unordered_list(value):
return filters.unordered_list(value, autoescape=True)
class AggregatesTable(tables.DataTable):
name = tables.Column("name",
verbose_name=_("Name"))
@ -135,11 +139,11 @@ class AggregatesTable(tables.DataTable):
hosts = tables.Column(get_hosts,
verbose_name=_("Hosts"),
wrap_list=True,
filters=(filters.unordered_list,))
filters=(safe_unordered_list,))
metadata = tables.Column(get_metadata,
verbose_name=_("Metadata"),
wrap_list=True,
filters=(filters.unordered_list,))
filters=(safe_unordered_list,))
class Meta:
name = "aggregates"

Loading…
Cancel
Save