From: tierno Date: Wed, 31 Oct 2018 16:09:52 +0000 (+0100) Subject: bug 571 sanitize html output content of NBI X-Git-Tag: v5.0.0~22 X-Git-Url: https://osm.etsi.org/gitweb/?p=osm%2FNBI.git;a=commitdiff_plain;h=ef4e224eb67d7b6711206591b8e1b5f8790c694e;ds=sidebyside bug 571 sanitize html output content of NBI Change-Id: Ieac5ae11a474c688a88e1311156a2dd8e16cbe47 Signed-off-by: tierno --- diff --git a/osm_nbi/html_out.py b/osm_nbi/html_out.py index bfa13d4..2fe4b8f 100644 --- a/osm_nbi/html_out.py +++ b/osm_nbi/html_out.py @@ -4,6 +4,7 @@ Contains html text in variables to make and html response import yaml from http import HTTPStatus +from html import escape as html_escape __author__ = "Alfonso Tierno " @@ -129,7 +130,8 @@ def format(data, request, response, session): data_id = k.pop("_id", None) elif isinstance(k, str): data_id = k - body += '

{id}: {t}

'.format(url=request.path_info, id=data_id, t=k) + body += '

{id}: {t}

'.format(url=request.path_info, id=data_id, + t=html_escape(str(k))) elif isinstance(data, dict): if "Location" in response.headers: body += ' show '.format(response.headers["Location"]) @@ -140,12 +142,13 @@ def format(data, request, response, session): request.path_info.startswith("/nslcm/v1/ns_instances/"): _id = request.path_info[request.path_info.rfind("/")+1:] body += html_nslcmop_body.format(id=_id) - body += "
" + yaml.safe_dump(data, explicit_start=True, indent=4, default_flow_style=False) + "
" + body += "
" + html_escape(yaml.safe_dump(data, explicit_start=True, indent=4, default_flow_style=False)) + \
+                "
" elif data is None: if request.method == "DELETE" or "METHOD=DELETE" in request.query_string: body += "
 deleted
" else: - body = str(data) + body = html_escape(str(data)) user_text = " " if session: if session.get("username"):