From 96c6cdaa084857b82b9681378d5d3a6a4732015e Mon Sep 17 00:00:00 2001 From: Julie Pichon Date: Thu, 7 Aug 2014 12:01:56 +0100 Subject: [PATCH] Fix XSS issue with the unordered_list filter When using the unordered_list filter in a Horizon table (as opposed to a template directly), autoescaping is not set by default and the input wasn't sanitised. Closes-Bug: #1349491 Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec --- openstack_dashboard/dashboards/admin/info/tables.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/openstack_dashboard/dashboards/admin/info/tables.py b/openstack_dashboard/dashboards/admin/info/tables.py index d4f3fe74e8..a123fab4b2 100644 --- a/openstack_dashboard/dashboards/admin/info/tables.py +++ b/openstack_dashboard/dashboards/admin/info/tables.py @@ -127,6 +127,10 @@ def get_metadata(aggregate): in aggregate.metadata.iteritems()] +def safe_unordered_list(value): + return filters.unordered_list(value, autoescape=True) + + class AggregatesTable(tables.DataTable): name = tables.Column("name", verbose_name=_("Name")) @@ -135,11 +139,11 @@ class AggregatesTable(tables.DataTable): hosts = tables.Column(get_hosts, verbose_name=_("Hosts"), wrap_list=True, - filters=(filters.unordered_list,)) + filters=(safe_unordered_list,)) metadata = tables.Column(get_metadata, verbose_name=_("Metadata"), wrap_list=True, - filters=(filters.unordered_list,)) + filters=(safe_unordered_list,)) class Meta: name = "aggregates"