External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-13 04:17:36 -02:30
Code Issues Packages Projects Releases Wiki Activity

changed instances of hardcoding xss filtering to using the filter

Browse Source
This commit is contained in:
John Mitchell
2015-05-11 13:39:56 -04:00
parent 23a69995d3
commit 7dd5dd947d
4 changed files with 18 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
awx/ui/static/js/widgets/Stream.js
View File

@@ -176,8 +176,8 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
}
])
.factory('BuildDescription', ['FixUrl', 'BuildUrl','$sce',
function (FixUrl, BuildUrl, $sce) {
.factory('BuildDescription', ['$filter', 'FixUrl', 'BuildUrl','$sce',
function ($filter, FixUrl, BuildUrl, $sce) {
return function (activity) {
function stripDeleted(s) {
@@ -210,9 +210,7 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
// The block until line 221 is for associative/disassociative operations, such as adding/removing a user to a team or vise versa
if (obj2_obj && obj2_obj.name && !/^_delete/.test(obj2_obj.name)) {
obj2_obj.base = obj2;
obj2_obj.name = obj2_obj.name.replace(/</g, "&lt;");
obj2_obj.name = obj2_obj.name.replace(/>/g, "&gt;");
obj2_obj.name = $sce.getTrustedHtml(obj2_obj.name);
obj2_obj.name = $filter('sanitize')(obj2_obj.name);
descr += obj2 + " <a href=\"" + BuildUrl(obj2_obj) + "\">" + obj2_obj.name + '</a>' + ((activity.operation === 'disassociate') ? ' from ' : ' to ');
descr_nolink += obj2 + ' ' + obj2_obj.name + ((activity.operation === 'disassociate') ? ' from ' : ' to ');
} else if (obj2) {
@@ -227,8 +225,7 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
obj1_obj.base = obj1;
// Need to character escape the link names, as a malicious url or piece of html could be inserted here that could take the
// user to a unknown location.
obj1_obj.name = obj1_obj.name.replace(/</g, "&lt;");
obj1_obj.name = obj1_obj.name.replace(/>/g, "&gt;");
obj1_obj.name = $filter('sanitize')(obj1_obj.name);
obj1_obj.name = $sce.getTrustedHtml(obj1_obj.name);
descr += obj1 + " <a href=\"" + BuildUrl(obj1_obj) + "\" >" + obj1_obj.name + '</a>';
descr_nolink += obj1 + ' ' + obj1_obj.name;