From 1c49ad46411ce5aa58cafbd15fd5384bf3f16709 Mon Sep 17 00:00:00 2001
From: Leigh Johnson <ljohnson@redhat.com>
Date: Fri, 1 Jul 2016 08:28:35 -0400
Subject: [PATCH] fix xss in activity stream, resolves #2731

---
 awx/ui/client/src/widgets/Stream.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/awx/ui/client/src/widgets/Stream.js b/awx/ui/client/src/widgets/Stream.js
index 60f3bd6cc0..4a8c6aeb61 100644
--- a/awx/ui/client/src/widgets/Stream.js
+++ b/awx/ui/client/src/widgets/Stream.js
@@ -22,11 +22,11 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
     'RefreshHelper', listGenerator.name, 'StreamWidget',
 ])
 
-.factory('BuildAnchor', [ '$log',
+.factory('BuildAnchor', [ '$log', '$filter',
     // Returns a full <a href=''>resource_name</a> HTML string if link can be derived from supplied context
     // returns name of resource if activity stream object doesn't contain enough data to build a UI url
     // arguments are: a summary_field object, a resource type, an activity stream object
-    function ($log) {
+    function ($log, $filter) {
         return function (obj, resource, activity) {
             var url = '/#/';
             // try/except pattern asserts that:
@@ -75,11 +75,11 @@ angular.module('StreamWidget', ['RestServices', 'Utilities', 'StreamListDefiniti
                     default:
                         url += resource + 's/' + obj.id + '/';
                 }
-                return ' <a href=\"' + url + '\"> ' + (obj.name || obj.username) + ' </a> ';
+                return ' <a href=\"' + url + '\"> ' + $filter('sanitize')(obj.name || obj.username) + ' </a> ';
             }
             catch(err){
                 $log.debug(err);
-                return ' ' + (obj.name || obj.username || '') + ' ';
+                return ' ' + $filter('sanitize')(obj.name || obj.username || '') + ' ';
             }
         };
     }