From fd86b940e2b56c07728aeeaf1b28040df3fb93ec Mon Sep 17 00:00:00 2001
From: Jared Tabor <jtabor@ansible.com>
Date: Mon, 8 Dec 2014 11:10:20 -0500
Subject: [PATCH] Prevent html injection in host events

replaced '<' and '>' characters with their escape characters to prevent html from being rendered onto the view.
---
 awx/ui/static/js/helpers/EventViewer.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/awx/ui/static/js/helpers/EventViewer.js b/awx/ui/static/js/helpers/EventViewer.js
index 8a4405e1c8..aaad261b09 100644
--- a/awx/ui/static/js/helpers/EventViewer.js
+++ b/awx/ui/static/js/helpers/EventViewer.js
@@ -360,6 +360,8 @@ angular.module('EventViewerHelper', ['ModalDialog', 'Utilities', 'EventsViewerFo
                             event_data.id = event.id;
                             event_data.parent = event.parent;
                             event_data.event = (event.event_display) ? event.event_display : event.event;
+                            event_data.msg = event_data.msg.replace(/</g, "&lt;");
+                            event_data.msg = event_data.msg.replace(/>/g, "&gt;");
                             results.push(event_data);
                         });
                         if (show_event) {