Skip to content

CIRCLE / cloud

Go to a project
Commit 5101d440 by Bach Dániel
Options

dashboard: fix xss in VmDisk*Form 💩

parent 68e1eb19
Showing with 3 additions and 2 deletions
circle/dashboard/forms.py
...@@ -39,6 +39,7 @@ from django.contrib.auth.forms import UserCreationForm as OrgUserCreationForm ...@@ -39,6 +39,7 @@ from django.contrib.auth.forms import UserCreationForm as OrgUserCreationForm
from django.forms.widgets import TextInput, HiddenInput from django.forms.widgets import TextInput, HiddenInput
from django.template import Context from django.template import Context
from django.template.loader import render_to_string from django.template.loader import render_to_string
from django.utils.html import escape
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from sizefield.widgets import FileSizeWidget from sizefield.widgets import FileSizeWidget
from django.core.urlresolvers import reverse_lazy from django.core.urlresolvers import reverse_lazy
...@@ -839,7 +840,7 @@ class VmDiskResizeForm(forms.Form): ...@@ -839,7 +840,7 @@ class VmDiskResizeForm(forms.Form):
helper.form_tag = False helper.form_tag = False
if self.disk: if self.disk:
helper.layout = Layout( helper.layout = Layout(
HTML(_("<label>Disk:</label> %s") % self.disk), HTML(_("<label>Disk:</label> %s") % escape(self.disk)),
Field('disk'), Field('size')) Field('disk'), Field('size'))
return helper return helper
...@@ -865,7 +866,7 @@ class VmDiskRemoveForm(forms.Form): ...@@ -865,7 +866,7 @@ class VmDiskRemoveForm(forms.Form):
helper.layout = Layout( helper.layout = Layout(
AnyTag( AnyTag(
"div", "div",
HTML(_("<label>Disk:</label> %s") % self.disk), HTML(_("<label>Disk:</label> %s") % escape(self.disk)),
css_class="form-group", css_class="form-group",
), ),
Field("disk"), Field("disk"),
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment