External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-22 00:07:40 -02:30
Code Issues Packages Projects Releases Wiki Activity

XSS character escaping for tooltips

Browse Source 
I've added character escaping for tooltips to avoid XSS security breaches
This commit is contained in:
Jared Tabor
2015-01-29 16:19:40 -05:00
parent 71eaa5aa2a
commit 7408387826
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
awx/ui/static/lib/ansible/directives.js
View File

@@ -389,7 +389,7 @@ angular.module('AWDirectives', ['RestServices', 'Utilities', 'AuthService', 'Job
* Include the standard TB data-XXX attributes to controll a tooltip's appearance. We will * Include the standard TB data-XXX attributes to controll a tooltip's appearance. We will
* default placement to the left and delay to the config setting. * default placement to the left and delay to the config setting.
*/ */
.directive('awToolTip', function() { .directive('awToolTip', function($sce) {
return function(scope, element, attrs) { return function(scope, element, attrs) {
var delay = (attrs.delay !== undefined && attrs.delay !== null) ? attrs.delay : ($AnsibleConfig) ? $AnsibleConfig.tooltip_delay : {show: 500, hide: 100}, var delay = (attrs.delay !== undefined && attrs.delay !== null) ? attrs.delay : ($AnsibleConfig) ? $AnsibleConfig.tooltip_delay : {show: 500, hide: 100},
placement; placement;
@@ -409,6 +409,9 @@ angular.module('AWDirectives', ['RestServices', 'Utilities', 'AuthService', 'Job
}); });
}); });
attrs.awToolTip = attrs.awToolTip.replace(/</g, "&lt;");
attrs.awToolTip = attrs.awToolTip.replace(/>/g, "&gt;");
attrs.awToolTip = $sce.getTrustedHtml(attrs.awToolTip);
$(element).tooltip({ $(element).tooltip({
placement: placement, placement: placement,
delay: delay, delay: delay,