[yocto] [patchwork][PATCH] filters: Escape State names when generating selector HTML
Armin Kuster
akuster808 at gmail.com
Mon Jul 8 08:47:16 PDT 2019
From: Andrew Donnellan <ajd at linux.ibm.com>
States with names containing special characters are not correctly escaped
when generating the select list. Use escape() to fix this.
Signed-off-by: Andrew Donnellan <ajd at linux.ibm.com>
(cherry picked from commit b3fa0c402e060622a5ed539a465d2fa98b1d2e13)
Signed-off-by: Daniel Axtens <dja at axtens.net>
[Fixup for 1.16 context, CVE-2019-13122 ]
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
patchwork/filters.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/patchwork/filters.py b/patchwork/filters.py
index 87c904f..b734207 100644
--- a/patchwork/filters.py
+++ b/patchwork/filters.py
@@ -212,7 +212,7 @@ class StateFilter(Filter):
selected = ' selected="true"'
str += '<option value="%d" %s>%s</option>' % (
- state.id, selected, state.name)
+ state.id, selected, escape(state.name))
str += '</select>'
return mark_safe(str)
--
2.7.4
More information about the yocto
mailing list