From 105e9da8668aa11fd8762c00dff568b57507a6ab Mon Sep 17 00:00:00 2001 From: Anthony Steinhauser Date: Mon, 10 Apr 2017 16:00:22 +0200 Subject: [PATCH] XSS flaw bugfix --- netbox/utilities/views.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/netbox/utilities/views.py b/netbox/utilities/views.py index 010a60daa..491aa309e 100644 --- a/netbox/utilities/views.py +++ b/netbox/utilities/views.py @@ -12,6 +12,7 @@ from django.forms import CharField, ModelMultipleChoiceField, MultipleHiddenInpu from django.http import HttpResponse from django.shortcuts import get_object_or_404, redirect, render from django.template import TemplateSyntaxError +from django.utils.html import escape from django.utils.http import is_safe_url from django.views.generic import View @@ -194,9 +195,9 @@ class ObjectEditView(View): msg = u'Created ' if obj_created else u'Modified ' msg += self.model._meta.verbose_name if hasattr(obj, 'get_absolute_url'): - msg = u'{} {}'.format(msg, obj.get_absolute_url(), obj) + msg = u'{} {}'.format(msg, obj.get_absolute_url(), escape(obj)) else: - msg = u'{} {}'.format(msg, obj) + msg = u'{} {}'.format(msg, escape(obj)) messages.success(request, msg) if obj_created: UserAction.objects.log_create(request.user, obj, msg) @@ -266,7 +267,7 @@ class ObjectDeleteView(View): handle_protectederror(obj, request, e) return redirect(obj.get_absolute_url()) - msg = u'Deleted {} {}'.format(self.model._meta.verbose_name, obj) + msg = u'Deleted {} {}'.format(self.model._meta.verbose_name, escape(obj)) messages.success(request, msg) UserAction.objects.log_delete(request.user, obj, msg)