Sanitation of metadata passed from Django

We need to escape HTML in metadata passed from Django, which
can lead to security issues. Refer to the bug for more details.

Conflicts:
 horizon/templates/horizon/common/_modal_form_update_metadata.html

The conflict was that there are extra spaces in the line.

Co-Authored-By: Szymon Wroblewski <szymon.wroblewski@intel.com>
Change-Id: I4821eacb0bb274befab7995f3a8f87c82d3997f5
Closes-bug: #1449260
(cherry picked from commit 81e1fa13177c8e259c90183409696305f55cdd75)
(cherry picked from commit e7f3e0880f4e311c768c413e43317674cb234515)

1 files changed, 2 insertions, 2 deletions

diff --git a/horizon/templates/horizon/common/_modal_form_update_metadata.html b/horizon/templates/horizon/common/_modal_form_update_metadata.html
index 602139386..e6b1810d2 100644
--- a/horizon/templates/horizon/common/_modal_form_update_metadata.html
+++ b/horizon/templates/horizon/common/_modal_form_update_metadata.html
@@ -224,8 +224,8 @@
     </div>
   </div>
   <script type="text/javascript">
-    var existing_metadata = {{existing_metadata|safe}};
-    var available_metadata = {{available_metadata|safe}};
+    var existing_metadata = JSON.parse('{{existing_metadata|escapejs}}');
+    var available_metadata = JSON.parse('{{available_metadata|escapejs}}');
   </script>
 {% endblock %}