From b4d489ff1bb998ba355ad129fa9a8136782224c8 Mon Sep 17 00:00:00 2001
From: Jared Tabor <jtabor@ansible.com>
Date: Mon, 11 Jul 2016 09:28:25 -0700
Subject: [PATCH] XSS sanitize permissions popover

and remove-permissions modal
---
 awx/ui/client/src/access/roleList.partial.html | 2 +-
 awx/ui/client/src/app.js                       | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/awx/ui/client/src/access/roleList.partial.html b/awx/ui/client/src/access/roleList.partial.html
index d98c13d53b..1478c9dc37 100644
--- a/awx/ui/client/src/access/roleList.partial.html
+++ b/awx/ui/client/src/access/roleList.partial.html
@@ -9,7 +9,7 @@
     <div class="RoleList-tag"
         ng-class="{'RoleList-tag--deletable': entry.explicit,
             'RoleList-tag--team': entry.team_id}"
-        aw-tool-tip='{{entry.team_name}}' aw-tip-placement='bottom'>
+        aw-tool-tip='{{entry.team_name | sanitize}}' aw-tip-placement='bottom'>
         <span class="RoleList-name">{{ entry.name }}</span>
         <i ng-show='entry.team_id' class="fa fa-users"></i>
     </div>
diff --git a/awx/ui/client/src/app.js b/awx/ui/client/src/app.js
index 2229f4ca77..b6f43018fc 100644
--- a/awx/ui/client/src/app.js
+++ b/awx/ui/client/src/app.js
@@ -521,11 +521,12 @@ var tower = angular.module('Tower', [
         'ClearScope', 'Socket', 'LoadConfig', 'Store',
         'ShowSocketHelp', 'pendoService', 'Prompt', 'Rest', 'Wait',
         'ProcessErrors', '$state', 'GetBasePath', 'ConfigService',
-        'FeaturesService',
+        'FeaturesService', '$filter',
         function ($q, $compile, $cookieStore, $rootScope, $log, CheckLicense,
             $location, Authorization, LoadBasePaths, Timer, ClearScope, Socket,
             LoadConfig, Store, ShowSocketHelp, pendoService, Prompt, Rest, Wait,
-            ProcessErrors, $state, GetBasePath, ConfigService, FeaturesService) {
+            ProcessErrors, $state, GetBasePath, ConfigService, FeaturesService,
+            $filter) {
             var sock;
             $rootScope.addPermission = function (scope) {
                 $compile("<add-permissions class='AddPermissions'></add-permissions>")(scope);
@@ -563,7 +564,7 @@ var tower = angular.module('Tower', [
                 if (accessListEntry.team_id) {
                     Prompt({
                         hdr: `Team access removal`,
-                        body: `<div class="Prompt-bodyQuery">Please confirm that you would like to remove <span class="Prompt-emphasis">${entry.name}</span> access from the team <span class="Prompt-emphasis">${entry.team_name}</span>. This will affect all members of the team. If you would like to only remove access for this particular user, please remove them from the team.</div>`,
+                        body: `<div class="Prompt-bodyQuery">Please confirm that you would like to remove <span class="Prompt-emphasis">${entry.name}</span> access from the team <span class="Prompt-emphasis">${$filter('sanitize')(entry.team_name)}</span>. This will affect all members of the team. If you would like to only remove access for this particular user, please remove them from the team.</div>`,
                             action: action,
                         actionText: 'REMOVE TEAM ACCESS'
                     });