[yocto] [error-report-web][PATCH] parser: Check for tag markup in the metadata fields

[Michael Wood]

Before we commit the error report metadata to the database do a
rudimentary check on all fields that are passed to the graphs page to
avoid any XSS happening.

Signed-off-by: Michael Wood <michael.g.wood at intel.com>
---
 Post/parser.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/Post/parser.py b/Post/parser.py
index fae9194..b180165 100644
--- a/Post/parser.py
+++ b/Post/parser.py
@@ -18,8 +18,21 @@ class Parser:
     def __init__(self, data):
         self.data = data
 
+    # returns true if the values contain '<' char
+    # Ignore the failures field (which is an array anyway)
+    def contains_tags (self, data):
+        for key,val in data.items():
+            if key == 'failures':
+                continue
+
+            if '<' in val:
+                return True
+        return False
+
     def parse(self):
         jsondata = json.loads(self.data)
+        if self.contains_tags(jsondata) == True:
+            return
 
         MACHINE_NAME = str(jsondata['machine'])
         NATIVELSBSTRING = str(jsondata['nativelsb'])
-- 
1.9.1