dashboard: fix xss in autocomplete

0b7b8883 · Bach Dániel · 832cfdce · 0b7b8883
Commit 0b7b8883 authored Sep 10, 2014 by Bach Dániel
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 3 deletions

circle/dashboard/autocomplete_light_registry.py
+8 -3

No files found.
--- a/circle/dashboard/autocomplete_light_registry.py
+++ b/circle/dashboard/autocomplete_light_registry.py
 import autocomplete_light
 from django.contrib.auth.models import User
+from django.utils.html import escape
 from django.utils.translation import ugettext as _

 from .views import AclUpdateView
@@ -23,10 +24,14 @@ class AclUserGroupAutocomplete(autocomplete_light.AutocompleteGenericBase):
            match = None
        if q and match is not None:
            match_end = match + len(q)
-            return (field[:match] + '<span class="autocomplete-hl">' +
-                    field[match:match_end] + '</span>' + field[match_end:])
+            return (escape(field[:match])
+                    + '<span class="autocomplete-hl">'
+                    + escape(field[match:match_end])
+                    + '</span>' + escape(field[match_end:]))
+        elif none_wo_match:
+            return None
        else:
-            return None if none_wo_match else field
+            return escape(field)

    def choice_displayed_text(self, choice):
        q = unicode(self.request.GET.get('q', ''))