Skip to content

CIRCLE / cloud

Go to a project
Commit 0b7b8883 by Bach Dániel
Options

dashboard: fix xss in autocomplete

parent 832cfdce
Showing with 8 additions and 3 deletions
circle/dashboard/autocomplete_light_registry.py
import autocomplete_light import autocomplete_light
from django.contrib.auth.models import User from django.contrib.auth.models import User
from django.utils.html import escape
from django.utils.translation import ugettext as _ from django.utils.translation import ugettext as _
from .views import AclUpdateView from .views import AclUpdateView
...@@ -23,10 +24,14 @@ class AclUserGroupAutocomplete(autocomplete_light.AutocompleteGenericBase): ...@@ -23,10 +24,14 @@ class AclUserGroupAutocomplete(autocomplete_light.AutocompleteGenericBase):
match = None match = None
if q and match is not None: if q and match is not None:
match_end = match + len(q) match_end = match + len(q)
return (field[:match] + '<span class="autocomplete-hl">' + return (escape(field[:match])
field[match:match_end] + '</span>' + field[match_end:]) + '<span class="autocomplete-hl">'
+ escape(field[match:match_end])
+ '</span>' + escape(field[match_end:]))
elif none_wo_match:
return None
else: else:
return None if none_wo_match else field return escape(field)
def choice_displayed_text(self, choice): def choice_displayed_text(self, choice):
q = unicode(self.request.GET.get('q', '')) q = unicode(self.request.GET.get('q', ''))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment