Cabinets app: Escape cabinet labels to avoid possible exploit of cross site scripting. Thanks to Lokesh (@lokesh1095) for the report and proposed solutions. Closes GitLab issue #495.
Signed-off-by: Roberto Rosario <roberto.rosario.gonzalez@gmail.com>
This commit is contained in:
Roberto Rosario
@@ -39,6 +39,9 @@
|
||||
- Appearance app: avoid setting window.location directly to avoid exploit
|
||||
of cross site scripting. Thanks to Lokesh (@lokesh1095) for the report
|
||||
and solution. Closes GitLab issue #494.
|
||||
- Cabinets app: Escape cabinet labels to avoid possible exploit of
|
||||
cross site scripting. Thanks to Lokesh (@lokesh1095) for the report
|
||||
and proposed solutions. Closes GitLab issue #495.
|
||||
|
||||
3.0.1 (2018-07-08)
|
||||
=================
|
||||
|
||||
@@ -1,15 +1,16 @@
|
||||
from __future__ import unicode_literals
|
||||
|
||||
from django.apps import apps
|
||||
from django.utils.html import format_html_join
|
||||
from django.utils.html import format_html, format_html_join
|
||||
|
||||
from .permissions import permission_cabinet_view
|
||||
|
||||
|
||||
def jstree_data(node, selected_node):
|
||||
result = []
|
||||
|
||||
result.append('{')
|
||||
result.append('"text": "{}",'.format(node.label))
|
||||
result.append(format_html('"text": "{}",', node.label))
|
||||
result.append(
|
||||
'"state": {{ "opened": true, "selected": {} }},'.format(
|
||||
'true' if node == selected_node else 'false'
|
||||
|
||||
Reference in New Issue
Block a user