fca19a1b0d
It is possible to inject HTML/JavaScript code into shares table member page setting metadata to shares and share types table admin page setting extra specs. So, escape HTML-specific symbols in output string of 'metadata_to_str' function to make it interpreted as string and not as code. Change-Id: Ied567e06d91941e9aaac7d3117e03cd1770fb75e Security-Fix Closes-Bug: #1597738 |
||
---|---|---|
.. | ||
shares | ||
__init__.py | ||
config.py |