Fix XSS issue with the unordered_list filter

When using the unordered_list filter in a Horizon table (as opposed to a template directly), autoescaping is not set by default and the input wasn't sanitised. Closes-Bug: #1349491 Change-Id: Id82eefe48ccb17a158751ec65d24f3ac779380ec
openstack · Aug 19, 2014 · ba908ae · ba908ae
1 parent 2b9c566
commit ba908ae
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/openstack_dashboard/dashboards/admin/aggregates/tables.py b/openstack_dashboard/dashboards/admin/aggregates/tables.py
@@ -93,18 +93,22 @@ def get_zone_hosts(zone):
     return host_details
 
 
+def safe_unordered_list(value):
+    return filters.unordered_list(value, autoescape=True)
+
+
 class HostAggregatesTable(tables.DataTable):
     name = tables.Column('name', verbose_name=_('Name'))
     availability_zone = tables.Column('availability_zone',
                                       verbose_name=_('Availability Zone'))
     hosts = tables.Column(get_aggregate_hosts,
                           verbose_name=_("Hosts"),
                           wrap_list=True,
-                          filters=(filters.unordered_list,))
+                          filters=(safe_unordered_list,))
     metadata = tables.Column(get_metadata,
                              verbose_name=_("Metadata"),
                              wrap_list=True,
-                             filters=(filters.unordered_list,))
+                             filters=(safe_unordered_list,))
 
     class Meta:
         name = "host_aggregates"
@@ -123,7 +127,7 @@ class AvailabilityZonesTable(tables.DataTable):
     hosts = tables.Column(get_zone_hosts,
                           verbose_name=_('Hosts'),
                           wrap_list=True,
-                          filters=(filters.unordered_list,))
+                          filters=(safe_unordered_list,))
     available = tables.Column(get_available,
                               verbose_name=_('Available'),
                               status=True,