From 71eaa5aa2ad132bd3c3ea06723839f77ad21d5b9 Mon Sep 17 00:00:00 2001
From: Jared Tabor <jtabor@ansible.com>
Date: Thu, 29 Jan 2015 15:21:24 -0500
Subject: [PATCH] XSS character escaping for activity stream

The activity stream widget needed the XSS character escaping
---
 awx/ui/static/js/widgets/Stream.js | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/awx/ui/static/js/widgets/Stream.js b/awx/ui/static/js/widgets/Stream.js
index bcdbc4f34c..3d3da765f2 100644
--- a/awx/ui/static/js/widgets/Stream.js
+++ b/awx/ui/static/js/widgets/Stream.js
@@ -14,7 +14,7 @@
 'use strict';
 
 angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefinition', 'SearchHelper', 'PaginationHelpers',
-    'RefreshHelper', 'ListGenerator', 'StreamWidget', 'AuthService'
+    'RefreshHelper', 'ListGenerator', 'StreamWidget', 'AuthService',
 ])
 
 .factory('setStreamHeight', [
@@ -175,8 +175,8 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
     }
 ])
 
-.factory('BuildDescription', ['FixUrl', 'BuildUrl',
-    function (FixUrl, BuildUrl) {
+.factory('BuildDescription', ['FixUrl', 'BuildUrl','$sce',
+    function (FixUrl, BuildUrl, $sce) {
         return function (activity) {
 
             function stripDeleted(s) {
@@ -264,7 +264,9 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
                 descr += obj1 + name;
                 descr_nolink += obj1 + name_nolink;
             }
-            activity.description = descr;
+            descr = descr.replace(/</g, "&lt;");
+            descr = descr.replace(/>/g, "&gt;");
+            activity.description = $sce.getTrustedHtml(descr);
             activity.description_nolink = descr_nolink;
         };
     }