1 Upstream patch fixed in Havana 2013.2.1

     2 

     3 commit b14debc73132d1253220192e110f00f62ddb8bbc

     4 Author: Rob Raymond <[email protected]>

     5 Date:   Mon Nov 4 12:12:40 2013 -0700

     6 

     7     Fix bug by escaping strings from Nova before displaying them

     8     

     9     Fixes bug #1247675

    10     

    11     (cherry-picked from commit b8ff480)

    12     Change-Id: I3637faafec1e1fba081533ee020f4ee218fea101

    13 

    14 diff --git a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py

    15 index 2311e5c..17a4fb5 100644

    16 --- a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py

    17 +++ b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py

    18 @@ -17,6 +17,7 @@

    19  import logging

    20  

    21  from django.core.urlresolvers import reverse

    22 +from django.utils import html

    23  from django.utils import safestring

    24  from django.utils.http import urlencode

    25  from django.utils.translation import ugettext_lazy as _

    26 @@ -68,6 +69,7 @@ class SnapshotVolumeNameColumn(tables.Column):

    27          request = self.table.request

    28          volume_name = api.cinder.volume_get(request,

    29                                              snapshot.volume_id).display_name

    30 +        volume_name = html.escape(volume_name)

    31          return safestring.mark_safe(volume_name)

    32  

    33      def get_link_url(self, snapshot):

    34 diff --git a/openstack_dashboard/dashboards/project/volumes/tables.py b/openstack_dashboard/dashboards/project/volumes/tables.py

    35 index b14145b..e5426c1 100644

    36 --- a/openstack_dashboard/dashboards/project/volumes/tables.py

    37 +++ b/openstack_dashboard/dashboards/project/volumes/tables.py

    38 @@ -19,7 +19,7 @@ import logging

    39  from django.core.urlresolvers import reverse, NoReverseMatch

    40  from django.template.defaultfilters import title

    41  from django.utils import safestring

    42 -from django.utils.html import strip_tags

    43 +from django.utils import html

    44  from django.utils.translation import ugettext_lazy as _

    45  

    46  from horizon import exceptions

    47 @@ -111,7 +111,7 @@ def get_attachment_name(request, attachment):

    48                                           "attachment information."))

    49      try:

    50          url = reverse("horizon:project:instances:detail", args=(server_id,))

    51 -        instance = '<a href="%s">%s</a>' % (url, name)

    52 +        instance = '<a href="%s">%s</a>' % (url, html.escape(name))

    53      except NoReverseMatch:

    54          instance = name

    55      return instance

    56 @@ -132,7 +132,7 @@ class AttachmentColumn(tables.Column):

    57              # without the server name...

    58              instance = get_attachment_name(request, attachment)

    59              vals = {"instance": instance,

    60 -                    "dev": attachment["device"]}

    61 +                    "dev": html.escape(attachment["device"])}

    62              attachments.append(link % vals)

    63          return safestring.mark_safe(", ".join(attachments))

    64  

    65 @@ -225,7 +225,7 @@ class AttachmentsTable(tables.DataTable):

    66      def get_object_display(self, attachment):

    67          instance_name = get_attachment_name(self.request, attachment)

    68          vals = {"dev": attachment['device'],

    69 -                "instance_name": strip_tags(instance_name)}

    70 +                "instance_name": html.escape(instance_name)}

    71          return _("%(dev)s on instance %(instance_name)s") % vals

    72  

    73      def get_object_by_id(self, obj_id):