From: Michael Wood <michael.g.wood@intel.com>
To: "Damian, Alexandru" <alexandru.damian@intel.com>
Cc: "toaster@yoctoproject.org" <toaster@yoctoproject.org>
Subject: Re: [review-request][PATCH] bitbake: toaster: project use escapejs filter to avoid tag interpretation
Date: Tue, 11 Nov 2014 11:31:15 +0000 [thread overview]
Message-ID: <5461F383.1070402@intel.com> (raw)
In-Reply-To: <CAJ2CSBt6n3yMy2wTn8Src3vvP3cY1pr5mqHi+LhO1gjB847Weg@mail.gmail.com>
Hi,
Valid json can contain unescaped markup tags which will break the
javascript e.g. if you put your project name to "</script><h2>Hi mum<!--
or worse some javascript --></h2>" the project page will interpret that.
http://jsfiddle.net/uLpecL5o/
The escapejs filter will escape all the correct characters the resulting
string of the json can then be safely parsed by the browser.
If we want to use |safe we really need to be sure that data is safe,
which may mean that instead we sanitise it before storing it.
Oops yes too long working with jinja2 which is based on django got
confused there!
Michael
On 07/11/14 16:52, Damian, Alexandru wrote:
> Hi,
>
> Hi, this is a good point you raise here - there are some aspects that
> need considering, though -
>
> the data coming in this page (e.g. prj, builds, etc..) is already
> coming as JSON, the conversion is done in the view. Here we mark the
> value as not needing any further escape (through the safe filter)
> because we know it's already a valid json string.
>
> json is already valid javascript code, so we don't need to parse it
> manually, the browser will interpret it as such.
>
> btw, we're not using jinja2 templating engine, we use the built-in
> django templating engine :)
>
>
> Cheers,
> Alex
>
>
>
> On Thu, Nov 6, 2014 at 4:11 PM, Michael Wood <michael.g.wood@intel.com
> <mailto:michael.g.wood@intel.com>> wrote:
>
> When passing the data from the jinja2 template to javascript make sure
> we escape and parse the JSON to avoid any invalid values being
> interpreted.
>
> Signed-off-by: Michael Wood <michael.g.wood@intel.com
> <mailto:michael.g.wood@intel.com>>
> ---
> bitbake/lib/toaster/toastergui/templates/project.html | 14
> +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/bitbake/lib/toaster/toastergui/templates/project.html
> b/bitbake/lib/toaster/toastergui/templates/project.html
> index 6a81283..00fb2b4 100644
> --- a/bitbake/lib/toaster/toastergui/templates/project.html
> +++ b/bitbake/lib/toaster/toastergui/templates/project.html
> @@ -335,13 +335,13 @@ angular.element(document).ready(function() {
> scope.urls.layers = "{% url 'layers' %}";
> scope.urls.targets = "{% url 'targets' %}";
> scope.urls.importlayer = "{% url 'importlayer'%}"
> - scope.project = {{prj|safe}};
> - scope.builds = {{builds|safe}};
> - scope.layers = {{layers|safe}};
> - scope.targets = {{targets|safe}};
> - scope.frequenttargets = {{freqtargets|safe}};
> - scope.machine = {{machine|safe}};
> - scope.releases = {{releases|safe}};
> + scope.project = JSON.parse ("{{prj|escapejs}}");
> + scope.builds = JSON.parse ("{{builds|escapejs}}");
> + scope.layers = JSON.parse ("{{layers|escapejs}}");
> + scope.targets = JSON.parse ("{{targets|escapejs}}");
> + scope.frequenttargets = JSON.parse ("{{freqtargets|escapejs}}");
> + scope.machine = JSON.parse ("{{machine|escapejs}}");
> + scope.releases = JSON.parse ("{{releases|escapejs}}");
>
> scope.zone1alerts = [];
> scope.zone2alerts = [];
> --
> 1.9.1
>
> --
> _______________________________________________
> toaster mailing list
> toaster@yoctoproject.org <mailto:toaster@yoctoproject.org>
> https://lists.yoctoproject.org/listinfo/toaster
>
>
>
>
> --
> Alex Damian
> Yocto Project
> SSG / OTC
>
> ---------------------------------------------------------------------
> Intel Corporation (UK) Limited
> Registered No. 1134945 (England)
> Registered Office: Pipers Way, Swindon SN3 1RJ
> VAT No: 860 2173 47
>
> This e-mail and any attachments may contain confidential material for
> the sole use of the intended recipient(s). Any review or distribution
> by others is strictly prohibited. If you are not the intended
> recipient, please contact the sender and delete all copies.
>
next prev parent reply other threads:[~2014-11-11 11:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-06 16:11 [review-request][PATCH] bitbake: toaster: project use escapejs filter to avoid tag interpretation Michael Wood
2014-11-07 16:52 ` Damian, Alexandru
2014-11-11 11:31 ` Michael Wood [this message]
2014-11-11 17:17 ` Damian, Alexandru
2014-11-12 16:54 ` Michael Wood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5461F383.1070402@intel.com \
--to=michael.g.wood@intel.com \
--cc=alexandru.damian@intel.com \
--cc=toaster@yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.