Check user input in XML responses.
Fixes bug 1183884. * swift/account/server.py: Escape account name in XML listings. Change-Id: I33f25aa02c96a72cb54c9d7ebd916d06a8a69edf
This commit is contained in:
parent
0ce3e1d647
commit
4eed6bf5b5
|
@ -275,7 +275,7 @@ class AccountController(object):
|
|||
account_list = json.dumps(data)
|
||||
elif out_content_type.endswith('/xml'):
|
||||
output_list = ['<?xml version="1.0" encoding="UTF-8"?>',
|
||||
'<account name="%s">' % account]
|
||||
'<account name="%s">' % saxutils.escape(account)]
|
||||
for (name, object_count, bytes_used, is_subdir) in account_list:
|
||||
name = saxutils.escape(name)
|
||||
if is_subdir:
|
||||
|
|
Loading…
Reference in New Issue