X-Git-Url: https://osm.etsi.org/gitweb/?a=blobdiff_plain;ds=sidebyside;f=osm_nbi%2Fhtml_out.py;h=316e15b41489d833811a731bc4b5a84dc0b07ef5;hb=refs%2Fchanges%2F38%2F9838%2F1;hp=efb3945fd32abd161e1c7c391ed30cace958e372;hpb=c67b0e994fe4a74098158e6340125e4c88cdb950;p=osm%2FNBI.git diff --git a/osm_nbi/html_out.py b/osm_nbi/html_out.py index efb3945f..316e15b4 100644 --- a/osm_nbi/html_out.py +++ b/osm_nbi/html_out.py @@ -26,7 +26,8 @@ html_start = """
-" + yaml.safe_dump(data, explicit_start=False, indent=4, default_flow_style=False) + "" - body = html_body.format(item=request.path_info) + body = html_body.format(item=html_escape(request.path_info)) if response.status and response.status > 202: - body += html_body_error.format(yaml.safe_dump(data, explicit_start=True, indent=4, default_flow_style=False)) + # input request.path_info (URL) can contain XSS that are translated into output error detail + body += html_body_error.format(html_escape( + yaml.safe_dump(data, explicit_start=True, indent=4, default_flow_style=False))) elif isinstance(data, (list, tuple)): if request.path_info == "/vnfpkgm/v1/vnf_packages": body += html_upload_body.format(request.path_info + "_content", "VNFD") @@ -168,16 +176,21 @@ def format(data, request, response, toke_info): if "Location" in response.headers: body += ' show '.format(response.headers["Location"]) else: + _id = request.path_info[request.path_info.rfind("/")+1:] body += ' '\ .format(request.path_info) if request.path_info.startswith("/nslcm/v1/ns_instances_content/") or \ request.path_info.startswith("/nslcm/v1/ns_instances/"): - _id = request.path_info[request.path_info.rfind("/")+1:] body += html_nslcmop_body.format(id=_id) elif request.path_info.startswith("/nsilcm/v1/netslice_instances_content/") or \ request.path_info.startswith("/nsilcm/v1/netslice_instances/"): - _id = request.path_info[request.path_info.rfind("/")+1:] body += html_nsilcmop_body.format(id=_id) + elif request.path_info.startswith("/vnfpkgm/v1/vnf_packages/") or \ + request.path_info.startswith("/vnfpkgm/v1/vnf_packages_content/"): + body += html_vnfpackage_body.format(id=_id) + elif request.path_info.startswith("/nsd/v1/ns_descriptors/") or \ + request.path_info.startswith("/nsd/v1/ns_descriptors_content/"): + body += html_nspackage_body.format(id=_id) body += "
" + html_escape(yaml.safe_dump(data, explicit_start=True, indent=4, default_flow_style=False)) + \ "" elif data is None: