Fix XSS issue with the unordered_list filter
When using the unordered_list filter in a Horizon table (as opposed to a template directly), autoescaping is not set by default and the input wasn't sanitised. Closes-Bug: #1349491 Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec
This commit is contained in:
parent
df782fc2b5
commit
96c6cdaa08
|
@ -127,6 +127,10 @@ def get_metadata(aggregate):
|
|||
in aggregate.metadata.iteritems()]
|
||||
|
||||
|
||||
def safe_unordered_list(value):
|
||||
return filters.unordered_list(value, autoescape=True)
|
||||
|
||||
|
||||
class AggregatesTable(tables.DataTable):
|
||||
name = tables.Column("name",
|
||||
verbose_name=_("Name"))
|
||||
|
@ -135,11 +139,11 @@ class AggregatesTable(tables.DataTable):
|
|||
hosts = tables.Column(get_hosts,
|
||||
verbose_name=_("Hosts"),
|
||||
wrap_list=True,
|
||||
filters=(filters.unordered_list,))
|
||||
filters=(safe_unordered_list,))
|
||||
metadata = tables.Column(get_metadata,
|
||||
verbose_name=_("Metadata"),
|
||||
wrap_list=True,
|
||||
filters=(filters.unordered_list,))
|
||||
filters=(safe_unordered_list,))
|
||||
|
||||
class Meta:
|
||||
name = "aggregates"
|
||||
|
|
Loading…
Reference in New Issue