From 7408387826a8dc7d6176e913ad98489924526b1c Mon Sep 17 00:00:00 2001
From: Jared Tabor <jtabor@ansible.com>
Date: Thu, 29 Jan 2015 16:19:40 -0500
Subject: [PATCH] XSS character escaping for tooltips

I've added character escaping for tooltips to avoid XSS security breaches
---
 awx/ui/static/lib/ansible/directives.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/awx/ui/static/lib/ansible/directives.js b/awx/ui/static/lib/ansible/directives.js
index 4d4e0d2dd2..ebda3089d7 100644
--- a/awx/ui/static/lib/ansible/directives.js
+++ b/awx/ui/static/lib/ansible/directives.js
@@ -389,7 +389,7 @@ angular.module('AWDirectives', ['RestServices', 'Utilities', 'AuthService', 'Job
      *  Include the standard TB data-XXX attributes to controll a tooltip's appearance.  We will
      *  default placement to the left and delay to the config setting.
      */
-    .directive('awToolTip', function() {
+    .directive('awToolTip', function($sce) {
         return function(scope, element, attrs) {
             var delay = (attrs.delay !== undefined && attrs.delay !== null) ? attrs.delay : ($AnsibleConfig) ? $AnsibleConfig.tooltip_delay : {show: 500, hide: 100},
                 placement;
@@ -409,6 +409,9 @@ angular.module('AWDirectives', ['RestServices', 'Utilities', 'AuthService', 'Job
                 });
             });
 
+            attrs.awToolTip = attrs.awToolTip.replace(/</g, "&lt;");
+            attrs.awToolTip = attrs.awToolTip.replace(/>/g, "&gt;");
+            attrs.awToolTip = $sce.getTrustedHtml(attrs.awToolTip);
             $(element).tooltip({
                 placement: placement,
                 delay: delay,