Fix XSS issue with the unordered_list filter

When using the unordered_list filter in a Horizon table (as opposed to a template directly), autoescaping is not set by default and the input wasn't sanitised. Closes-Bug: #1349491 Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec
2014-07-29 16:17:44 +01:00
parent 6393dbe003
commit ba2c98aea0
1 changed files with 7 additions and 3 deletions
--- a/openstack_dashboard/dashboards/admin/aggregates/tables.py
+++ b/openstack_dashboard/dashboards/admin/aggregates/tables.py
@@ -98,6 +98,10 @@ def get_zone_hosts(zone):
    return host_details


+def safe_unordered_list(value):
+    return filters.unordered_list(value, autoescape=True)
+
+
 class HostAggregatesTable(tables.DataTable):
    name = tables.Column('name', verbose_name=_('Name'))
    availability_zone = tables.Column('availability_zone',
@@ -105,11 +109,11 @@ class HostAggregatesTable(tables.DataTable):
    hosts = tables.Column(get_aggregate_hosts,
                          verbose_name=_("Hosts"),
                          wrap_list=True,
-                          filters=(filters.unordered_list,))
+                          filters=(safe_unordered_list,))
    metadata = tables.Column(get_metadata,
                             verbose_name=_("Metadata"),
                             wrap_list=True,
-                             filters=(filters.unordered_list,))
+                             filters=(safe_unordered_list,))

    class Meta:
        name = "host_aggregates"
@@ -128,7 +132,7 @@ class AvailabilityZonesTable(tables.DataTable):
    hosts = tables.Column(get_zone_hosts,
                          verbose_name=_('Hosts'),
                          wrap_list=True,
-                          filters=(filters.unordered_list,))
+                          filters=(safe_unordered_list,))
    available = tables.Column(get_available,
                              verbose_name=_('Available'),
                              status=True,