Skip to content

Commit

Permalink
HUE-5340 [search] Escape Solr field that have XSS injection (like <sc…
Browse files Browse the repository at this point in the history 
…ript>alert(1234)</script>)
  • Loading branch information
@romainr
romainr committed Dec 2, 2016
1 parent f28a06d commit a3c5943
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 7 deletions.
4 changes: 2 additions & 2 deletions apps/search/src/search/models.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -560,7 +560,7 @@ def get_default(self, user, name):
<div class="span12">%s</div>
</div>
<br/>
</div>""" % ' '.join(['{{%s}}' % field['name'] for field in fields]),
</div>""" % ' '.join(['{{%s}}' % escape(field['name']) for field in fields]),
"isGridLayout": True,
"showFieldList": True,
"showGrid": True,
Expand Down Expand Up @@ -599,7 +599,7 @@ def get_default(self, user, name):
@classmethod
def _make_field(cls, field, attributes):
return {
'name': str(field),
'name': str(escape(field)),
'type': str(attributes.get('type', '')),
'isId': attributes.get('required') and attributes.get('uniqueKey'),
'isDynamic': 'dynamicBase' in attributes
Expand Down
10 changes: 5 additions & 5 deletions apps/search/src/search/tests.py
View file

Large diffs are not rendered by default.

0 comments on commit a3c5943

Please sign in to comment.