Commit 111d424d by Bach Dániel

dashboard: fix xss in notifications

Closes #374
parent dedaf53a
......@@ -31,6 +31,7 @@ from django.db.models import (
)
from django.db.models.signals import post_save, pre_delete, post_delete
from django.templatetags.static import static
from django.utils.html import escape
from django.utils.translation import ugettext_lazy as _
from django_sshkey.models import UserKey
from django.core.exceptions import ObjectDoesNotExist
......@@ -87,7 +88,8 @@ class Notification(TimeStampedModel):
@property
def subject(self):
return HumanReadableObject.from_dict(self.subject_data)
return HumanReadableObject.from_dict(
self.escape_dict(self.subject_data))
@subject.setter
def subject(self, value):
......@@ -95,7 +97,14 @@ class Notification(TimeStampedModel):
@property
def message(self):
return HumanReadableObject.from_dict(self.message_data)
return HumanReadableObject.from_dict(
self.escape_dict(self.message_data))
def escape_dict(self, data):
for k, v in data['params'].items():
if isinstance(v, basestring):
data['params'][k] = escape(v)
return data
@message.setter
def message(self, value):
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment