|
1 Errata patch for CVE-2015-3219 |
|
2 https://bugs.launchpad.net/horizon/+bug/1453074 |
|
3 |
|
4 Fixed upstream and in a future release. |
|
5 ------- |
|
6 From: lin-hua-cheng <[email protected]> |
|
7 Date: Mon, 1 Jun 2015 17:55:00 -0700 |
|
8 Subject: [PATCH] Escape the description param from heat template |
|
9 |
|
10 The heat template allows user to define custom parameters, |
|
11 the fields are then converted to input fields. The description |
|
12 param maps to the help_text attribute of the field. |
|
13 |
|
14 Since the value comes from the user, the value must be escaped |
|
15 before rendering. |
|
16 |
|
17 Change-Id: I79d540a8363b2507c4bccdc0cc38e283962919d2 |
|
18 Closes-bug: #1453074 |
|
19 --- |
|
20 openstack_dashboard/dashboards/project/stacks/forms.py | 3 ++- |
|
21 1 file changed, 2 insertions(+), 1 deletion(-) |
|
22 |
|
23 diff --git a/openstack_dashboard/dashboards/project/stacks/forms.py |
|
24 b/openstack_dashboard/dashboards/project/stacks/forms.py |
|
25 index 5ee01df..ba9e141 100644 |
|
26 --- a/openstack_dashboard/dashboards/project/stacks/forms.py |
|
27 +++ b/openstack_dashboard/dashboards/project/stacks/forms.py |
|
28 @@ -13,6 +13,7 @@ |
|
29 import json |
|
30 import logging |
|
31 |
|
32 +from django.utils import html |
|
33 from django.utils.translation import ugettext_lazy as _ |
|
34 from django.views.decorators.debug import sensitive_variables # noqa |
|
35 |
|
36 @@ -310,7 +311,7 @@ class CreateStackForm(forms.SelfHandlingForm): |
|
37 field_args = { |
|
38 'initial': param.get('Default', None), |
|
39 'label': param.get('Label', param_key), |
|
40 - 'help_text': param.get('Description', ''), |
|
41 + 'help_text': html.escape(param.get('Description', '')), |
|
42 'required': param.get('Default', None) is None |
|
43 } |
|
44 |
|
45 -- |
|
46 1.9.1 |
|
47 |