[yocto] [patchwork][PATCH] filters: Escape State names when generating selector HTML

Armin Kuster Mon, 08 Jul 2019 08:57:59 -0700

From: Andrew Donnellan <a...@linux.ibm.com>

States with names containing special characters are not correctly escaped
when generating the select list. Use escape() to fix this.


Signed-off-by: Andrew Donnellan <a...@linux.ibm.com>
(cherry picked from commit b3fa0c402e060622a5ed539a465d2fa98b1d2e13)
Signed-off-by: Daniel Axtens <d...@axtens.net>
[Fixup for 1.16 context, CVE-2019-13122 ]
Signed-off-by: Armin Kuster <akus...@mvista.com>
---
 patchwork/filters.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/patchwork/filters.py b/patchwork/filters.py
index 87c904f..b734207 100644
--- a/patchwork/filters.py
+++ b/patchwork/filters.py
@@ -212,7 +212,7 @@ class StateFilter(Filter):
                 selected = ' selected="true"'
 
             str += '<option value="%d" %s>%s</option>' % (
-                state.id, selected, state.name)
+                state.id, selected, escape(state.name))
         str += '</select>'
         return mark_safe(str)
 
-- 
2.7.4

-- 
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [patchwork][PATCH] filters: Escape State names when generating selector HTML

Reply via email to