Fix bug by escaping strings from Nova before displaying them

Fixes bug #1247675 (cherry-picked from commit b8ff480) Change-Id: I3637faafec1e1fba081533ee020f4ee218fea101
2013-11-04 12:12:40 -07:00 · 2013-11-04 12:12:40 -07:00 · b14debc731
parent a68c609dbc
commit b14debc731
2 changed files with 6 additions and 4 deletions
--- a/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
+++ b/openstack_dashboard/dashboards/project/images_and_snapshots/volume_snapshots/tables.py
@ -17,6 +17,7 @@
 import logging

 from django.core.urlresolvers import reverse
+from django.utils import html
 from django.utils import safestring
 from django.utils.http import urlencode
 from django.utils.translation import ugettext_lazy as _
@ -68,6 +69,7 @@ class SnapshotVolumeNameColumn(tables.Column):
        request = self.table.request
        volume_name = api.cinder.volume_get(request,
                                            snapshot.volume_id).display_name
+        volume_name = html.escape(volume_name)
        return safestring.mark_safe(volume_name)

    def get_link_url(self, snapshot):
--- a/openstack_dashboard/dashboards/project/volumes/tables.py
+++ b/openstack_dashboard/dashboards/project/volumes/tables.py
@ -19,7 +19,7 @@ import logging
 from django.core.urlresolvers import reverse, NoReverseMatch
 from django.template.defaultfilters import title
 from django.utils import safestring
-from django.utils.html import strip_tags
+from django.utils import html
 from django.utils.translation import ugettext_lazy as _

 from horizon import exceptions
@ -111,7 +111,7 @@ def get_attachment_name(request, attachment):
                                         "attachment information."))
    try:
        url = reverse("horizon:project:instances:detail", args=(server_id,))
-        instance = '<a href="%s">%s</a>' % (url, name)
+        instance = '<a href="%s">%s</a>' % (url, html.escape(name))
    except NoReverseMatch:
        instance = name
    return instance
@ -132,7 +132,7 @@ class AttachmentColumn(tables.Column):
            # without the server name...
            instance = get_attachment_name(request, attachment)
            vals = {"instance": instance,
-                    "dev": attachment["device"]}
+                    "dev": html.escape(attachment["device"])}
            attachments.append(link % vals)
        return safestring.mark_safe(", ".join(attachments))

@ -225,7 +225,7 @@ class AttachmentsTable(tables.DataTable):
    def get_object_display(self, attachment):
        instance_name = get_attachment_name(self.request, attachment)
        vals = {"dev": attachment['device'],
-                "instance_name": strip_tags(instance_name)}
+                "instance_name": html.escape(instance_name)}
        return _("%(dev)s on instance %(instance_name)s") % vals

    def get_object_by_id(self, obj_id):