X-Git-Url: https://osm.etsi.org/gitweb/?p=osm%2FNBI.git;a=blobdiff_plain;f=osm_nbi%2Fhtml_out.py;h=316e15b41489d833811a731bc4b5a84dc0b07ef5;hp=82362ecfb7cb323a7ed0b11f23d97e71e708c0c6;hb=341ac1bac7b115d64a50ec166aa5e6d186b39443;hpb=74b5358852f075371c51919a0ec2c9f57e1143b5;ds=sidebyside diff --git a/osm_nbi/html_out.py b/osm_nbi/html_out.py index 82362ec..316e15b 100644 --- a/osm_nbi/html_out.py +++ b/osm_nbi/html_out.py @@ -26,7 +26,8 @@ html_start = """ -Welcome to OSM + Welcome to OSM +
@@ -48,6 +49,7 @@ html_start = """ SDNs K8s_clusters K8s_repos + NS_Subs logout
@@ -71,6 +73,7 @@ html_auth2 = """ OSM Login +
@@ -150,9 +153,11 @@ def format(data, request, response, toke_info): return html_auth2.format(error=data) if request.path_info in ("/version", "/system"): return "
" + yaml.safe_dump(data, explicit_start=False, indent=4, default_flow_style=False) + "
" - body = html_body.format(item=request.path_info) + body = html_body.format(item=html_escape(request.path_info)) if response.status and response.status > 202: - body += html_body_error.format(yaml.safe_dump(data, explicit_start=True, indent=4, default_flow_style=False)) + # input request.path_info (URL) can contain XSS that are translated into output error detail + body += html_body_error.format(html_escape( + yaml.safe_dump(data, explicit_start=True, indent=4, default_flow_style=False))) elif isinstance(data, (list, tuple)): if request.path_info == "/vnfpkgm/v1/vnf_packages": body += html_upload_body.format(request.path_info + "_content", "VNFD")