4568
|
1 |
Errata patch for CVE-2015-3219
|
|
2 |
https://bugs.launchpad.net/horizon/+bug/1453074
|
|
3 |
|
|
4 |
Fixed upstream and in a future release.
|
|
5 |
-------
|
|
6 |
From: lin-hua-cheng <[email protected]>
|
|
7 |
Date: Mon, 1 Jun 2015 17:55:00 -0700
|
|
8 |
Subject: [PATCH] Escape the description param from heat template
|
|
9 |
|
|
10 |
The heat template allows user to define custom parameters,
|
|
11 |
the fields are then converted to input fields. The description
|
|
12 |
param maps to the help_text attribute of the field.
|
|
13 |
|
|
14 |
Since the value comes from the user, the value must be escaped
|
|
15 |
before rendering.
|
|
16 |
|
|
17 |
Change-Id: I79d540a8363b2507c4bccdc0cc38e283962919d2
|
|
18 |
Closes-bug: #1453074
|
|
19 |
---
|
|
20 |
openstack_dashboard/dashboards/project/stacks/forms.py | 3 ++-
|
|
21 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
22 |
|
|
23 |
diff --git a/openstack_dashboard/dashboards/project/stacks/forms.py
|
|
24 |
b/openstack_dashboard/dashboards/project/stacks/forms.py
|
|
25 |
index 5ee01df..ba9e141 100644
|
|
26 |
--- a/openstack_dashboard/dashboards/project/stacks/forms.py
|
|
27 |
+++ b/openstack_dashboard/dashboards/project/stacks/forms.py
|
|
28 |
@@ -13,6 +13,7 @@
|
|
29 |
import json
|
|
30 |
import logging
|
|
31 |
|
|
32 |
+from django.utils import html
|
|
33 |
from django.utils.translation import ugettext_lazy as _
|
|
34 |
from django.views.decorators.debug import sensitive_variables # noqa
|
|
35 |
|
|
36 |
@@ -310,7 +311,7 @@ class CreateStackForm(forms.SelfHandlingForm):
|
|
37 |
field_args = {
|
|
38 |
'initial': param.get('Default', None),
|
|
39 |
'label': param.get('Label', param_key),
|
|
40 |
- 'help_text': param.get('Description', ''),
|
|
41 |
+ 'help_text': html.escape(param.get('Description', '')),
|
|
42 |
'required': param.get('Default', None) is None
|
|
43 |
}
|
|
44 |
|
|
45 |
--
|
|
46 |
1.9.1
|
|
47 |
|