diff options
author | Brant Knudson <bknudson@us.ibm.com> | 2015-05-15 14:21:31 -0500 |
---|---|---|
committer | Brant Knudson <bknudson@us.ibm.com> | 2015-05-15 14:21:31 -0500 |
commit | 6c944b5013acb0dce7cf3d8717e58f7f2427be07 (patch) | |
tree | 2ded87500520fa662881b58ef9c718cc55272736 | |
parent | db641dccb68ae3ff0bdd70dc7d60dc9605fe31c0 (diff) | |
download | horizon-6c944b5013acb0dce7cf3d8717e58f7f2427be07.tar.gz |
Sanitation of metadata passed from Django
We need to escape HTML in metadata passed from Django, which
can lead to security issues. Refer to the bug for more details.
Conflicts:
horizon/templates/horizon/common/_modal_form_update_metadata.html
The conflict was that there are extra spaces in the line.
Co-Authored-By: Szymon Wroblewski <szymon.wroblewski@intel.com>
Change-Id: I4821eacb0bb274befab7995f3a8f87c82d3997f5
Closes-bug: #1449260
(cherry picked from commit 81e1fa13177c8e259c90183409696305f55cdd75)
(cherry picked from commit e7f3e0880f4e311c768c413e43317674cb234515)
-rw-r--r-- | horizon/templates/horizon/common/_modal_form_update_metadata.html | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/horizon/templates/horizon/common/_modal_form_update_metadata.html b/horizon/templates/horizon/common/_modal_form_update_metadata.html index 602139386..e6b1810d2 100644 --- a/horizon/templates/horizon/common/_modal_form_update_metadata.html +++ b/horizon/templates/horizon/common/_modal_form_update_metadata.html @@ -224,8 +224,8 @@ </div> </div> <script type="text/javascript"> - var existing_metadata = {{existing_metadata|safe}}; - var available_metadata = {{available_metadata|safe}}; + var existing_metadata = JSON.parse('{{existing_metadata|escapejs}}'); + var available_metadata = JSON.parse('{{available_metadata|escapejs}}'); </script> {% endblock %} |