|
1 Upstream patch fixed in Havana 2013.2.1 |
|
2 |
|
3 commit b14debc73132d1253220192e110f00f62ddb8bbc |
|
4 Author: Rob Raymond <[email protected]> |
|
5 Date: Mon Nov 4 12:12:40 2013 -0700 |
|
6 |
|
7 Fix bug by escaping strings from Nova before displaying them |
|
8 |
|
9 Fixes bug #1247675 |
|
10 |
|
11 (cherry-picked from commit b8ff480) |
|
12 Change-Id: I3637faafec1e1fba081533ee020f4ee218fea101 |
|
13 |
|
14 diff --git a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py |
|
15 index 2311e5c..17a4fb5 100644 |
|
16 --- a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py |
|
17 +++ b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py |
|
18 @@ -17,6 +17,7 @@ |
|
19 import logging |
|
20 |
|
21 from django.core.urlresolvers import reverse |
|
22 +from django.utils import html |
|
23 from django.utils import safestring |
|
24 from django.utils.http import urlencode |
|
25 from django.utils.translation import ugettext_lazy as _ |
|
26 @@ -68,6 +69,7 @@ class SnapshotVolumeNameColumn(tables.Column): |
|
27 request = self.table.request |
|
28 volume_name = api.cinder.volume_get(request, |
|
29 snapshot.volume_id).display_name |
|
30 + volume_name = html.escape(volume_name) |
|
31 return safestring.mark_safe(volume_name) |
|
32 |
|
33 def get_link_url(self, snapshot): |
|
34 diff --git a/openstack_dashboard/dashboards/project/volumes/tables.py b/openstack_dashboard/dashboards/project/volumes/tables.py |
|
35 index b14145b..e5426c1 100644 |
|
36 --- a/openstack_dashboard/dashboards/project/volumes/tables.py |
|
37 +++ b/openstack_dashboard/dashboards/project/volumes/tables.py |
|
38 @@ -19,7 +19,7 @@ import logging |
|
39 from django.core.urlresolvers import reverse, NoReverseMatch |
|
40 from django.template.defaultfilters import title |
|
41 from django.utils import safestring |
|
42 -from django.utils.html import strip_tags |
|
43 +from django.utils import html |
|
44 from django.utils.translation import ugettext_lazy as _ |
|
45 |
|
46 from horizon import exceptions |
|
47 @@ -111,7 +111,7 @@ def get_attachment_name(request, attachment): |
|
48 "attachment information.")) |
|
49 try: |
|
50 url = reverse("horizon:project:instances:detail", args=(server_id,)) |
|
51 - instance = '<a href="%s">%s</a>' % (url, name) |
|
52 + instance = '<a href="%s">%s</a>' % (url, html.escape(name)) |
|
53 except NoReverseMatch: |
|
54 instance = name |
|
55 return instance |
|
56 @@ -132,7 +132,7 @@ class AttachmentColumn(tables.Column): |
|
57 # without the server name... |
|
58 instance = get_attachment_name(request, attachment) |
|
59 vals = {"instance": instance, |
|
60 - "dev": attachment["device"]} |
|
61 + "dev": html.escape(attachment["device"])} |
|
62 attachments.append(link % vals) |
|
63 return safestring.mark_safe(", ".join(attachments)) |
|
64 |
|
65 @@ -225,7 +225,7 @@ class AttachmentsTable(tables.DataTable): |
|
66 def get_object_display(self, attachment): |
|
67 instance_name = get_attachment_name(self.request, attachment) |
|
68 vals = {"dev": attachment['device'], |
|
69 - "instance_name": strip_tags(instance_name)} |
|
70 + "instance_name": html.escape(instance_name)} |
|
71 return _("%(dev)s on instance %(instance_name)s") % vals |
|
72 |
|
73 def get_object_by_id(self, obj_id): |