dashboard: fix xss in notifications

Closes #374

dashboard: fix xss in notifications
Closes #374
111d424d · Bach Dániel · dedaf53a · 111d424d
Commit 111d424d authored Jan 07, 2015 by Bach Dániel
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 2 deletions

circle/dashboard/models.py
+11 -2

No files found.
--- a/circle/dashboard/models.py
+++ b/circle/dashboard/models.py
@@ -31,6 +31,7 @@ from django.db.models import (
 )
 from django.db.models.signals import post_save, pre_delete, post_delete
 from django.templatetags.static import static
+from django.utils.html import escape
 from django.utils.translation import ugettext_lazy as _
 from django_sshkey.models import UserKey
 from django.core.exceptions import ObjectDoesNotExist
@@ -87,7 +88,8 @@ class Notification(TimeStampedModel):
    @property
    def subject(self):
-        return HumanReadableObject.from_dict(self.subject_data)
+        return HumanReadableObject.from_dict(
+            self.escape_dict(self.subject_data))
    @subject.setter
    def subject(self, value):
@@ -95,7 +97,14 @@ class Notification(TimeStampedModel):
    @property
    def message(self):
-        return HumanReadableObject.from_dict(self.message_data)
+        return HumanReadableObject.from_dict(
+            self.escape_dict(self.message_data))
+    def escape_dict(self, data):
+        for k, v in data['params'].items():
+            if isinstance(v, basestring):
+                data['params'][k] = escape(v)
+        return data
    @message.setter
    def message(self, value):