Fix metadata_to_str function code injection vulnerability
It is possible to inject HTML/JavaScript code into shares table
member page setting metadata to shares and share types table admin page
setting extra specs. So, escape HTML-specific symbols in output
string of 'metadata_to_str' function to make it interpreted
as string and not as code.
Change-Id: Ied567e06d91941e9aaac7d3117e03cd1770fb75e
Security-Fix
Closes-Bug: #1597738
(clean cherry pick of commit fca19a1b0d42536644212c5d673fbd6866e67c43)
(cherry picked from commit 89593686ef18f2bd06223b92071b4be2362a5abd)
Reviewed: https:/ /review. openstack. org/383585 /git.openstack. org/cgit/ openstack/ manila- ui/commit/ ?id=009913d725b ee34cef0bd62e47 a298025ace2696
Committed: https:/
Submitter: Jenkins
Branch: stable/liberty
commit 009913d725bee34 cef0bd62e47a298 025ace2696
Author: Valeriy Ponomaryov <email address hidden>
Date: Thu Jun 30 20:19:22 2016 +0300
Fix metadata_to_str function code injection vulnerability
It is possible to inject HTML/JavaScript code into shares table
member page setting metadata to shares and share types table admin page
setting extra specs. So, escape HTML-specific symbols in output
string of 'metadata_to_str' function to make it interpreted
as string and not as code.
Change-Id: Ied567e06d91941 e9aaac7d3117e03 cd1770fb75e 644212c5d673fbd 6866e67c43) d06223b92071b4b e2362a5abd)
Security-Fix
Closes-Bug: #1597738
(clean cherry pick of commit fca19a1b0d42536
(cherry picked from commit 89593686ef18f2b