Browse Source

Sanitation of metadata passed from Django

We need to escape HTML in metadata passed from Django, which
can lead to security issues. Refer to the bug for more details.

Co-Authored-By: Szymon Wroblewski <szymon.wroblewski@intel.com>
Change-Id: I4821eacb0bb274befab7995f3a8f87c82d3997f5
Closes-bug: #1449260
changes/29/179429/3
Thai Tran 7 years ago committed by Szymon Wróblewski
parent
commit
e7f3e0880f
  1. 4
      horizon/templates/horizon/common/_modal_form_update_metadata.html

4
horizon/templates/horizon/common/_modal_form_update_metadata.html

@ -11,8 +11,8 @@
existing="existing"
model="tree"></hz-metadata-tree>
<script type="text/javascript">
var existing_metadata = {{ existing_metadata|safe }};
var available_metadata = {{ available_metadata|safe }};
var existing_metadata = JSON.parse('{{ existing_metadata|escapejs }}');
var available_metadata = JSON.parse('{{ available_metadata|escapejs }}');
</script>
{% endblock %}

Loading…
Cancel
Save