Fix XSS issue with the unordered_list filter
When using the unordered_list filter in a Horizon table (as opposed to a template directly), autoescaping is not set by default and the input wasn't sanitised. Closes-Bug: #1349491 Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec
This commit is contained in:
parent
2b9c566952
commit
ba908ae88d
|
@ -93,6 +93,10 @@ def get_zone_hosts(zone):
|
||||||
return host_details
|
return host_details
|
||||||
|
|
||||||
|
|
||||||
|
def safe_unordered_list(value):
|
||||||
|
return filters.unordered_list(value, autoescape=True)
|
||||||
|
|
||||||
|
|
||||||
class HostAggregatesTable(tables.DataTable):
|
class HostAggregatesTable(tables.DataTable):
|
||||||
name = tables.Column('name', verbose_name=_('Name'))
|
name = tables.Column('name', verbose_name=_('Name'))
|
||||||
availability_zone = tables.Column('availability_zone',
|
availability_zone = tables.Column('availability_zone',
|
||||||
|
@ -100,11 +104,11 @@ class HostAggregatesTable(tables.DataTable):
|
||||||
hosts = tables.Column(get_aggregate_hosts,
|
hosts = tables.Column(get_aggregate_hosts,
|
||||||
verbose_name=_("Hosts"),
|
verbose_name=_("Hosts"),
|
||||||
wrap_list=True,
|
wrap_list=True,
|
||||||
filters=(filters.unordered_list,))
|
filters=(safe_unordered_list,))
|
||||||
metadata = tables.Column(get_metadata,
|
metadata = tables.Column(get_metadata,
|
||||||
verbose_name=_("Metadata"),
|
verbose_name=_("Metadata"),
|
||||||
wrap_list=True,
|
wrap_list=True,
|
||||||
filters=(filters.unordered_list,))
|
filters=(safe_unordered_list,))
|
||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
name = "host_aggregates"
|
name = "host_aggregates"
|
||||||
|
@ -123,7 +127,7 @@ class AvailabilityZonesTable(tables.DataTable):
|
||||||
hosts = tables.Column(get_zone_hosts,
|
hosts = tables.Column(get_zone_hosts,
|
||||||
verbose_name=_('Hosts'),
|
verbose_name=_('Hosts'),
|
||||||
wrap_list=True,
|
wrap_list=True,
|
||||||
filters=(filters.unordered_list,))
|
filters=(safe_unordered_list,))
|
||||||
available = tables.Column(get_available,
|
available = tables.Column(get_available,
|
||||||
verbose_name=_('Available'),
|
verbose_name=_('Available'),
|
||||||
status=True,
|
status=True,
|
||||||
|
|
Loading…
Reference in New Issue