Merge pull request #1120 from piotr1212/upstream0.9.x

0.9.x fix XSS issue in user saved graphs

webapp/graphite/browser/views.py

@@ -17,6 +17,7 @@
 from django.utils.safestring import mark_safe
 from django.http import HttpResponse
 from django.conf import settings
+from django.utils.html import escape
 from graphite.account.models import Profile
 from graphite.util import getProfile, getProfileByUsername, defaultUser, json
 from graphite.logger import log
@@ -132,7 +133,7 @@ def myGraphLookup(request):
          if name in leaf_inserted: continue
          leaf_inserted.add(name)
 
-      node = {'text' : str(name) }
+      node = {'text': escape(str(name))}
 
       if isBranch:
         node.update( { 'id' : str(userpath_prefix + name + '.') } )
@@ -219,7 +220,7 @@ def userGraphLookup(request):
 
         if '.' in relativePath: # branch
           node = {
-            'text' : str(nodeName),
+            'text' : escape(str(nodeName)),
             'id' : str(username + '.' + prefix + nodeName + '.'),
           }
           node.update(branchNode)
@@ -228,7 +229,7 @@ def userGraphLookup(request):
           m.update(nodeName)
 
           node = {
-            'text' : str(nodeName ),
+            'text' : escape(str(nodeName)),
             'id' : str(username + '.' + prefix + m.hexdigest()),
             'graphUrl' : str(graph.url),
           }