Prevents cross-site-scripting in policy panels
Change-Id: I3184b614d81ed67acc4aa1bfea9697a0acc2205f Closes-bug: 1483372
This commit is contained in:
parent
6e6c53300f
commit
5e8f3da385
|
@ -13,6 +13,7 @@
|
|||
from django.core.urlresolvers import reverse
|
||||
from django import http
|
||||
from django.template.defaultfilters import filesizeformat # noqa
|
||||
from django.utils import html
|
||||
from django.utils.translation import ugettext_lazy as _
|
||||
from django.views.decorators.debug import sensitive_variables # noqa
|
||||
|
||||
|
@ -79,6 +80,10 @@ class UpdatePolicyRuleSetForm(BaseUpdateForm):
|
|||
def handle(self, request, context):
|
||||
try:
|
||||
policy_rule_set_id = self.initial['policy_rule_set_id']
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.policy_rule_set_update(request,
|
||||
policy_rule_set_id,
|
||||
**context
|
||||
|
@ -133,6 +138,10 @@ class AddPolicyActionForm(forms.SelfHandlingForm):
|
|||
try:
|
||||
if not context['action_value']:
|
||||
del context['action_value']
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
action = client.policyaction_create(request, **context)
|
||||
messages.success(request, _('Policy Action successfully created.'))
|
||||
return action
|
||||
|
@ -163,6 +172,10 @@ class UpdatePolicyActionForm(BaseUpdateForm):
|
|||
url = reverse('horizon:project:application_policy:index')
|
||||
try:
|
||||
policyaction_id = self.initial['policyaction_id']
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.policyaction_update(request, policyaction_id, **context)
|
||||
messages.success(request, _('Policy Action successfully updated.'))
|
||||
return http.HttpResponseRedirect(url)
|
||||
|
@ -203,6 +216,8 @@ class AddPolicyClassifierForm(forms.SelfHandlingForm):
|
|||
try:
|
||||
if not context.get('port_range'):
|
||||
context['port_range'] = None
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
classifier = client.policyclassifier_create(request, **context)
|
||||
messages.success(
|
||||
request, _('Policy Classifier successfully created.'))
|
||||
|
@ -242,6 +257,10 @@ class UpdatePolicyClassifierForm(BaseUpdateForm):
|
|||
policyclassifier_id = self.initial['policyclassifier_id']
|
||||
if not context.get('port_range'):
|
||||
context['port_range'] = None
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.policyclassifier_update(self.request,
|
||||
policyclassifier_id, **context)
|
||||
messages.success(
|
||||
|
@ -286,6 +305,10 @@ class UpdatePolicyRuleForm(BaseUpdateForm):
|
|||
url = reverse('horizon:project:application_policy:index')
|
||||
try:
|
||||
prid = self.initial['policyrule_id']
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.policyrule_update(request, prid, **context)
|
||||
messages.success(request, _('Policy rule successfully updated.'))
|
||||
return http.HttpResponseRedirect(url)
|
||||
|
|
|
@ -11,6 +11,7 @@
|
|||
# under the License.
|
||||
|
||||
from django.core.urlresolvers import reverse
|
||||
from django.utils import html
|
||||
from django.utils.translation import ugettext_lazy as _
|
||||
|
||||
from horizon import exceptions
|
||||
|
@ -111,6 +112,10 @@ class AddContract(workflows.Workflow):
|
|||
|
||||
def _create_policy_rule_set(self, request, context):
|
||||
try:
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
return client.policy_rule_set_create(request, **context)
|
||||
except Exception as e:
|
||||
msg = self.format_status_message(self.failure_message) + str(e)
|
||||
|
@ -118,6 +123,10 @@ class AddContract(workflows.Workflow):
|
|||
return False
|
||||
|
||||
def handle(self, request, context):
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
policy_rule_set = self._create_policy_rule_set(request, context)
|
||||
self.object = policy_rule_set
|
||||
return policy_rule_set
|
||||
|
@ -251,6 +260,10 @@ class AddPolicyRule(workflows.Workflow):
|
|||
|
||||
def handle(self, request, context):
|
||||
try:
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
rule = client.policyrule_create(request, **context)
|
||||
self.object = rule
|
||||
return rule
|
||||
|
@ -311,6 +324,10 @@ class AddPolicyClassifier(workflows.Workflow):
|
|||
|
||||
def _create_classifer(self, request, context):
|
||||
try:
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.policyclassifier_create(request, **context)
|
||||
return True
|
||||
except Exception as e:
|
||||
|
@ -319,6 +336,10 @@ class AddPolicyClassifier(workflows.Workflow):
|
|||
return False
|
||||
|
||||
def handle(self, request, context):
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
classifier = self._create_classifer(request, context)
|
||||
if not classifier:
|
||||
return False
|
||||
|
|
|
@ -15,6 +15,7 @@ import logging
|
|||
from django.core.urlresolvers import reverse
|
||||
from django import http
|
||||
from django import shortcuts
|
||||
from django.utils import html
|
||||
from django.utils.translation import ugettext_lazy as _
|
||||
|
||||
from horizon import exceptions
|
||||
|
@ -80,6 +81,10 @@ class AddL3PolicyForm(forms.SelfHandlingForm):
|
|||
def handle(self, request, context):
|
||||
url = reverse("horizon:project:network_policy:index")
|
||||
try:
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.l3policy_create(request, **context)
|
||||
msg = _("L3 Policy Created Successfully!")
|
||||
LOG.debug(msg)
|
||||
|
@ -122,6 +127,10 @@ class UpdateL3PolicyForm(AddL3PolicyForm):
|
|||
url = reverse("horizon:project:network_policy:index")
|
||||
try:
|
||||
l3policy_id = self.initial['l3policy_id']
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.l3policy_update(request, l3policy_id, **context)
|
||||
msg = _("L3 Policy Updated Successfully!")
|
||||
LOG.debug(msg)
|
||||
|
@ -155,6 +164,10 @@ class AddL2PolicyForm(forms.SelfHandlingForm):
|
|||
url = reverse("horizon:project:network_policy:index")
|
||||
try:
|
||||
del context['allow_broadcast']
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.l2policy_create(request, **context)
|
||||
msg = _("L2 Policy Created Successfully!")
|
||||
LOG.debug(msg)
|
||||
|
@ -195,6 +208,10 @@ class UpdateL2PolicyForm(forms.SelfHandlingForm):
|
|||
l2policy_id = self.initial['l2policy_id']
|
||||
try:
|
||||
del context['allow_broadcast']
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.l2policy_update(request, l2policy_id, **context)
|
||||
msg = _("L2 Policy Updated Successfully!")
|
||||
LOG.debug(msg)
|
||||
|
@ -228,6 +245,10 @@ class CreateServicePolicyForm(forms.SelfHandlingForm):
|
|||
'value': values[2]}
|
||||
p.append(values)
|
||||
context['network_service_params'] = p
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.create_networkservice_policy(request, **context)
|
||||
msg = _("Service policy created successfully!")
|
||||
LOG.debug(msg)
|
||||
|
@ -242,8 +263,8 @@ class NetworkServiceParam(object):
|
|||
|
||||
def __init__(self, context):
|
||||
self.ptype = context['param_type']
|
||||
self.pname = context['param_name']
|
||||
self.pvalue = context['param_value']
|
||||
self.pname = html.escape(context['param_name'])
|
||||
self.pvalue = html.escape(context['param_value'])
|
||||
self.name = "Type:%s,Name:%s,Value:%s" % (
|
||||
self.ptype, self.pname, self.pvalue)
|
||||
self.id = self.name
|
||||
|
@ -288,6 +309,10 @@ class UpdateServicePolicyForm(BaseUpdateForm):
|
|||
url = reverse("horizon:project:network_policy:index")
|
||||
try:
|
||||
policy_id = self.initial['service_policy_id']
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.update_networkservice_policy(
|
||||
request, policy_id, **context)
|
||||
msg = _("Service policy updatedsuccessfully!")
|
||||
|
|
|
@ -14,6 +14,7 @@ import json
|
|||
import logging
|
||||
|
||||
from django.core.urlresolvers import reverse
|
||||
from django.utils import html
|
||||
from django.utils.translation import ugettext_lazy as _
|
||||
|
||||
from django import http
|
||||
|
@ -105,6 +106,10 @@ class CreateServiceChainNodeForm(forms.SelfHandlingForm):
|
|||
except KeyError:
|
||||
pass
|
||||
context['config'] = json.dumps(context['config'])
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.create_servicechain_node(request, **context)
|
||||
msg = _("Service Chain Node Created Successfully!")
|
||||
LOG.debug(msg)
|
||||
|
@ -137,6 +142,10 @@ class UpdateServiceChainNodeForm(BaseUpdateForm):
|
|||
url = reverse("horizon:project:network_services:index")
|
||||
try:
|
||||
scnode_id = self.initial['scnode_id']
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.update_servicechain_node(
|
||||
request, scnode_id, **context)
|
||||
msg = _("Service Chain Node Updated Successfully!")
|
||||
|
@ -183,6 +192,10 @@ class CreateServiceChainSpecForm(forms.SelfHandlingForm):
|
|||
def handle(self, request, context):
|
||||
url = reverse("horizon:project:network_services:index")
|
||||
try:
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.create_servicechain_spec(request, **context)
|
||||
msg = _("Service Chain Spec Created Successfully!")
|
||||
LOG.debug(msg)
|
||||
|
@ -219,6 +232,10 @@ class UpdateServiceChainSpecForm(CreateServiceChainSpecForm, BaseUpdateForm):
|
|||
url = reverse("horizon:project:network_services:index")
|
||||
try:
|
||||
scspec_id = self.initial['scspec_id']
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.update_servicechain_spec(request, scspec_id, **context)
|
||||
msg = _("Service Chain Spec Updated Successfully!")
|
||||
LOG.debug(msg)
|
||||
|
@ -260,6 +277,10 @@ class CreateServiceChainInstanceForm(forms.SelfHandlingForm):
|
|||
def handle(self, request, context):
|
||||
url = reverse("horizon:project:network_services:index")
|
||||
try:
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.create_servicechain_instance(request, **context)
|
||||
msg = _("Service Chain Instance Created Successfully!")
|
||||
LOG.debug(msg)
|
||||
|
@ -295,6 +316,10 @@ class UpdateServiceChainInstanceForm(forms.SelfHandlingForm):
|
|||
url = reverse("horizon:project:network_services:index")
|
||||
try:
|
||||
scinstance_id = self.initial['scinstance_id']
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
client.update_servicechain_instance(
|
||||
request, scinstance_id, **context)
|
||||
msg = _("Service Chain Instance Created Successfully!")
|
||||
|
|
|
@ -14,6 +14,7 @@ import logging
|
|||
|
||||
from django.core.urlresolvers import reverse
|
||||
from django import http
|
||||
from django.utils import html
|
||||
from django.utils.translation import ugettext_lazy as _
|
||||
|
||||
from horizon import exceptions
|
||||
|
@ -112,6 +113,10 @@ class UpdatePolicyTargetForm(forms.SelfHandlingForm):
|
|||
context['consumed_policy_rule_sets'] = None
|
||||
if context['network_service_policy_id'] == 'None':
|
||||
context['network_service_policy_id'] = None
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
policy_target = client.policy_target_update(
|
||||
request, policy_target_id, **context)
|
||||
msg = _('Group %s was successfully updated.') % name_or_id
|
||||
|
|
|
@ -13,6 +13,7 @@
|
|||
import logging
|
||||
|
||||
from django.core.urlresolvers import reverse
|
||||
from django.utils import html
|
||||
from django.utils.text import normalize_newlines # noqa
|
||||
from django.utils.translation import ugettext_lazy as _
|
||||
from django.views.decorators.debug import sensitive_variables # noqa
|
||||
|
@ -213,6 +214,10 @@ class AddPTG(workflows.Workflow):
|
|||
|
||||
def handle(self, request, context):
|
||||
try:
|
||||
if context.get('name'):
|
||||
context['name'] = html.escape(context['name'])
|
||||
if context.get('description'):
|
||||
context['description'] = html.escape(context['description'])
|
||||
group = client.policy_target_create(request, **context)
|
||||
return group
|
||||
except Exception as e:
|
||||
|
|
Loading…
Reference in New Issue