Fix metadata_to_str function code injection vulnerability
It is possible to inject HTML/JavaScript code into shares table
member page setting metadata to shares and share types table admin page
setting extra specs. So, escape HTML-specific symbols in output
string of 'metadata_to_str' function to make it interpreted
as string and not as code.
Reviewed: https:/ /review. openstack. org/380017 /git.openstack. org/cgit/ openstack/ manila- ui/commit/ ?id=89593686ef1 8f2bd06223b9207 1b4be2362a5abd
Committed: https:/
Submitter: Jenkins
Branch: stable/mitaka
commit 89593686ef18f2b d06223b92071b4b e2362a5abd
Author: Valeriy Ponomaryov <email address hidden>
Date: Thu Jun 30 20:19:22 2016 +0300
Fix metadata_to_str function code injection vulnerability
It is possible to inject HTML/JavaScript code into shares table
member page setting metadata to shares and share types table admin page
setting extra specs. So, escape HTML-specific symbols in output
string of 'metadata_to_str' function to make it interpreted
as string and not as code.
Depends-On: If83e66d4b2f0f1 db181e7c23ac256 c498566c2da e9aaac7d3117e03 cd1770fb75e 644212c5d673fbd 6866e67c43)
Change-Id: Ied567e06d91941
Security-Fix
Closes-Bug: #1597738
(clean cherry pick of commit fca19a1b0d42536