|
1 Errata patch for CVE-2015-3988 |
|
2 https://review.openstack.org/183659 |
|
3 git fetch https://review.openstack.org/openstack/horizon refs/changes/59/183659/1 && git format-patch -1 --stdout FETCH_HEAD |
|
4 Fixed upstream and in a future release. |
|
5 ---- |
|
6 From: Brant Knudson <[email protected]> |
|
7 Date: Fri, 15 May 2015 19:21:31 +0000 (-0500) |
|
8 Subject: Sanitation of metadata passed from Django |
|
9 X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=6c944b5013acb0dce7cf3d8717e58f7f2427be07 |
|
10 |
|
11 Sanitation of metadata passed from Django |
|
12 |
|
13 We need to escape HTML in metadata passed from Django, which |
|
14 can lead to security issues. Refer to the bug for more details. |
|
15 |
|
16 Conflicts: |
|
17 horizon/templates/horizon/common/_modal_form_update_metadata.html |
|
18 |
|
19 The conflict was that there are extra spaces in the line. |
|
20 |
|
21 Co-Authored-By: Szymon Wroblewski <[email protected]> |
|
22 Change-Id: I4821eacb0bb274befab7995f3a8f87c82d3997f5 |
|
23 Closes-bug: #1449260 |
|
24 (cherry picked from commit 81e1fa13177c8e259c90183409696305f55cdd75) |
|
25 (cherry picked from commit e7f3e0880f4e311c768c413e43317674cb234515) |
|
26 --- |
|
27 |
|
28 diff --git a/horizon/templates/horizon/common/_modal_form_update_metadata.html b/horizon/templates/horizon/common/_modal_form_update_metadata.html |
|
29 index 6021393..e6b1810 100644 |
|
30 --- a/horizon/templates/horizon/common/_modal_form_update_metadata.html |
|
31 +++ b/horizon/templates/horizon/common/_modal_form_update_metadata.html |
|
32 @@ -224,8 +224,8 @@ |
|
33 </div> |
|
34 </div> |
|
35 <script type="text/javascript"> |
|
36 - var existing_metadata = {{existing_metadata|safe}}; |
|
37 - var available_metadata = {{available_metadata|safe}}; |
|
38 + var existing_metadata = JSON.parse('{{existing_metadata|escapejs}}'); |
|
39 + var available_metadata = JSON.parse('{{available_metadata|escapejs}}'); |
|
40 </script> |
|
41 {% endblock %} |