[yocto] [error-report-web][PATCH] parser: Check for tag markup in the metadata fields
Michael Wood
michael.g.wood at intel.com
Mon Oct 27 09:45:44 PDT 2014
Before we commit the error report metadata to the database do a
rudimentary check on all fields that are passed to the graphs page to
avoid any XSS happening.
Signed-off-by: Michael Wood <michael.g.wood at intel.com>
---
Post/parser.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/Post/parser.py b/Post/parser.py
index fae9194..b180165 100644
--- a/Post/parser.py
+++ b/Post/parser.py
@@ -18,8 +18,21 @@ class Parser:
def __init__(self, data):
self.data = data
+ # returns true if the values contain '<' char
+ # Ignore the failures field (which is an array anyway)
+ def contains_tags (self, data):
+ for key,val in data.items():
+ if key == 'failures':
+ continue
+
+ if '<' in val:
+ return True
+ return False
+
def parse(self):
jsondata = json.loads(self.data)
+ if self.contains_tags(jsondata) == True:
+ return
MACHINE_NAME = str(jsondata['machine'])
NATIVELSBSTRING = str(jsondata['nativelsb'])
--
1.9.1
More information about the yocto
mailing list