1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
Description: Escape the description param from heat template
The heat template allows user to define custom parameters,
the fields are then converted to input fields. The description
param maps to the help_text attribute of the field.
.
Since the value comes from the user, the value must be escaped
before rendering.
Origin: upstream, https://review.openstack.org/#/c/189821/
Bug: https://bugs.launchpad.net/horizon/+bug/1453074
Bug-Debian: https://bugs.debian.org/788306
Forwarded: not-needed
Author: Lin Hua Cheng <os.lcheng@gmail.com>
Reviewed-By: David Lyle <david.lyle@intel.com>
Last-Update: 2015-06-09
---
--- horizon-2014.1.3.orig/openstack_dashboard/dashboards/project/stacks/forms.py
+++ horizon-2014.1.3/openstack_dashboard/dashboards/project/stacks/forms.py
@@ -15,6 +15,7 @@
import json
import logging
+from django.utils import html
from django.utils.translation import ugettext_lazy as _
from django.views.decorators.debug import sensitive_variables # noqa
@@ -307,7 +308,7 @@ class CreateStackForm(forms.SelfHandling
field_args = {
'initial': param.get('Default', None),
'label': param_key,
- 'help_text': param.get('Description', ''),
+ 'help_text': html.escape(param.get('Description', '')),
'required': param.get('Default', None) is None
}
|
