Remove |safe from openrc.template

Review I56ec047da467b721bd1b57d2c97d05717e83f468 added |safe to the TEMPLATE_NAME variable in order to allow special characters for tenant names but it turned out to be a security issue as explained in one of the comments. This reverts commit 3a9b0da489030eaacc6cc0416f92192b74783ac8 It's still an issue to discuss as referenced in bug 1100042 Change-Id: I919a56ac799e3358bf3d56af3c6083814e97c98d
2013-01-18 12:26:30 +01:00 · 2013-01-18 12:26:30 +01:00 · 99b678b7b7
commit 99b678b7b7
parent 83ac573a9e
2 changed files with 1 additions and 40 deletions
--- a/openstack_dashboard/dashboards/settings/project/templates/project/openrc.sh.template
+++ b/openstack_dashboard/dashboards/settings/project/templates/project/openrc.sh.template
@ -12,7 +12,7 @@ export OS_AUTH_URL={{ auth_url }}
 # With the addition of Keystone we have standardized on the term **tenant**
 # as the entity that owns the resources.
 export OS_TENANT_ID={{ tenant_id }}
-export OS_TENANT_NAME="{{ tenant_name|safe }}"
+export OS_TENANT_NAME="{{ tenant_name }}"

 # In addition to the owning entity (tenant), openstack stores the entity
 # performing the action as the **user**.
--- a/openstack_dashboard/test/tests/templates.py
+++ b/openstack_dashboard/test/tests/templates.py
@ -1,39 +0,0 @@
-# vim: tabstop=4 shiftwidth=4 softtabstop=4
-
-# Copyright (c) 2012 OpenStack, LLC.
-# All Rights Reserved.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-from os import path
-from openstack_dashboard.test import helpers as test
-from django.template.loader import render_to_string
-
-
-class FakeUser(object):
-    username = "Super S"
-
-
-class TemplateRenderTest(test.TestCase):
-    """ Tests for templates render """
-
-    def test_openrc_html_escape(self):
-        context = {
-            "user": FakeUser(),
-            "tenant_id": "some-cool-id",
-            "auth_url": "http://tests.com",
-            "tenant_name": "ENG Perf R&D"}
-        out = render_to_string('settings/project/openrc.sh.template', context)
-
-        self.assertFalse("&amp;" in out)
-        self.assertTrue("ENG Perf R&D" in out)