From b8ff4804e11fb64a49d1c3f2811cece6494ad82d Mon Sep 17 00:00:00 2001
From: Rob Raymond <rob.raymond@hp.com>
Date: Mon, 4 Nov 2013 12:12:40 -0700
Subject: [PATCH] Fix bug by escaping strings from Nova before displaying them

Fixes bug #1247675

Change-Id: I3637faafec1e1fba081533ee020f4ee218fea101
---
 .../images_and_snapshots/volume_snapshots/tables.py       | 2 ++
 openstack_dashboard/dashboards/project/volumes/tables.py  | 8 ++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
index 17008f5630..e5a3c69272 100644
--- a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
+++ b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
@@ -15,6 +15,7 @@
 #    under the License.
 
 from django.core.urlresolvers import reverse  # noqa
+from django.utils import html
 from django.utils.http import urlencode  # noqa
 from django.utils import safestring
 from django.utils.translation import ugettext_lazy as _  # noqa
@@ -66,6 +67,7 @@ class SnapshotVolumeNameColumn(tables.Column):
         volume = snapshot._volume
         if volume:
             volume_name = volume.display_name or volume.id
+            volume_name = html.escape(volume_name)
         else:
             volume_name = _("Unknown")
         return safestring.mark_safe(volume_name)
diff --git a/openstack_dashboard/dashboards/project/volumes/tables.py b/openstack_dashboard/dashboards/project/volumes/tables.py
index e0b49d0f0b..3124d89c49 100644
--- a/openstack_dashboard/dashboards/project/volumes/tables.py
+++ b/openstack_dashboard/dashboards/project/volumes/tables.py
@@ -17,7 +17,7 @@
 from django.core.urlresolvers import NoReverseMatch  # noqa
 from django.core.urlresolvers import reverse  # noqa
 from django.template.defaultfilters import title  # noqa
-from django.utils.html import strip_tags  # noqa
+from django.utils import html
 from django.utils import safestring
 from django.utils.translation import string_concat  # noqa
 from django.utils.translation import ugettext_lazy as _  # noqa
@@ -125,7 +125,7 @@ def get_attachment_name(request, attachment):
                                          "attachment information."))
     try:
         url = reverse("horizon:project:instances:detail", args=(server_id,))
-        instance = '<a href="%s">%s</a>' % (url, name)
+        instance = '<a href="%s">%s</a>' % (url, html.escape(name))
     except NoReverseMatch:
         instance = name
     return instance
@@ -146,7 +146,7 @@ class AttachmentColumn(tables.Column):
             # without the server name...
             instance = get_attachment_name(request, attachment)
             vals = {"instance": instance,
-                    "dev": attachment["device"]}
+                    "dev": html.escape(attachment["device"])}
             attachments.append(link % vals)
         return safestring.mark_safe(", ".join(attachments))
 
@@ -251,7 +251,7 @@ class AttachmentsTable(tables.DataTable):
     def get_object_display(self, attachment):
         instance_name = get_attachment_name(self.request, attachment)
         vals = {"dev": attachment['device'],
-                "instance_name": strip_tags(instance_name)}
+                "instance_name": html.escape(instance_name)}
         return _("%(dev)s on instance %(instance_name)s") % vals
 
     def get_object_by_id(self, obj_id):