Sanitation of metadata passed from Django

We need to escape HTML in metadata passed from Django, which can lead to security issues. Refer to the bug for more details. Conflicts: horizon/templates/horizon/common/_modal_form_update_metadata.html The conflict was that there are extra spaces in the line. Co-Authored-By: Szymon Wroblewski <szymon.wroblewski@intel.com> Change-Id: I4821eacb0bb274befab7995f3a8f87c82d3997f5 Closes-bug: #1449260 (cherry picked from commit 81e1fa1317) (cherry picked from commit e7f3e0880f)
2015-05-15 14:21:31 -05:00 · 2015-05-15 14:21:31 -05:00 · 6c944b5013
parent db641dccb6
commit 6c944b5013
1 changed files with 2 additions and 2 deletions
--- a/horizon/templates/horizon/common/_modal_form_update_metadata.html
+++ b/horizon/templates/horizon/common/_modal_form_update_metadata.html
@ -224,8 +224,8 @@
    </div>
  </div>
  <script type="text/javascript">
-    var existing_metadata = {{existing_metadata|safe}};
-    var available_metadata = {{available_metadata|safe}};
+    var existing_metadata = JSON.parse('{{existing_metadata|escapejs}}');
+    var available_metadata = JSON.parse('{{available_metadata|escapejs}}');
  </script>
 {% endblock %}