CVE-2014-3473

@@ -51,8 +51,15 @@ horizon.instances = {
     $(this.get_network_element("")).each(function(){
       var $this = $(this);
       var $input = $this.children("input");
+      var name = $this.text().replace(/^\s+/,"")
+                             .replace(/&/g, '&')
+                             .replace(/</g, '&lt;')
+                             .replace(/>/g, '&gt;')
+                             .replace(/"/g, '&quot;')
+                             .replace(/'/g, '&#x27;')
+                             .replace(/\//g, '&#x2F;');
       var network_property = {
-        name:$this.text().replace(/^\s+/,""),
+        name:name,
         id:$input.attr("id"),
         value:$input.attr("value")
       };

@@ -585,7 +585,9 @@ def value(self):
             link_classes = ' '.join(self.column.link_classes)
             # Escape the data inside while allowing our HTML to render
             data = mark_safe('<a href="%s" class="%s">%s</a>' %
-                             (self.url, link_classes, escape(data)))
+                             (escape(self.url),
+                              escape(link_classes),
+                              escape(data)))
         return data
 
     @property

@@ -161,7 +161,8 @@ def get_link_url(self, datum=None):
 class UsersTable(tables.DataTable):
     name = tables.Column('name', verbose_name=_('User Name'))
     email = tables.Column('email', verbose_name=_('Email'),
-                          filters=[defaultfilters.urlize])
+                          filters=[defaultfilters.escape,
+                                   defaultfilters.urlize])
     id = tables.Column('id', verbose_name=_('User ID'))
     enabled = tables.Column('enabled', verbose_name=_('Enabled'),
                             status=True,

@@ -117,7 +117,8 @@ class UsersTable(tables.DataTable):
     )
     name = tables.Column('name', verbose_name=_('User Name'))
     email = tables.Column('email', verbose_name=_('Email'),
-                          filters=[defaultfilters.urlize])
+                          filters=[defaultfilters.escape,
+                                   defaultfilters.urlize])
     # Default tenant is not returned from Keystone currently.
     #default_tenant = tables.Column('default_tenant',
     #                               verbose_name=_('Default Project'))

@@ -12,6 +12,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+from django.core import urlresolvers
 from django.http import Http404  # noqa
 from django.template.defaultfilters import timesince  # noqa
 from django.template.defaultfilters import title  # noqa
@@ -94,11 +95,16 @@ class Meta:
         row_actions = (DeleteStack, )
 
 
+def get_resource_url(obj):
+    return urlresolvers.reverse('horizon:project:stacks:resource',
+                                args=(obj.stack_id, obj.resource_name))
+
+
 class EventsTable(tables.DataTable):
 
     logical_resource = tables.Column('resource_name',
                                      verbose_name=_("Stack Resource"),
-                                     link=lambda d: d.resource_name,)
+                                     link=get_resource_url)
     physical_resource = tables.Column('physical_resource_id',
                                       verbose_name=_("Resource"),
                                       link=mappings.resource_to_url)
@@ -142,7 +148,7 @@ class ResourcesTable(tables.DataTable):
 
     logical_resource = tables.Column('resource_name',
                                      verbose_name=_("Stack Resource"),
-                                     link=lambda d: d.resource_name)
+                                     link=get_resource_url)
     physical_resource = tables.Column('physical_resource_id',
                                      verbose_name=_("Resource"),
                                      link=mappings.resource_to_url)

@@ -75,6 +75,9 @@ def get_context_data(self, request):
             stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
             events = api.heat.events_list(self.request, stack_identifier)
             LOG.debug('got events %s' % events)
+            # The stack id is needed to generate the resource URL.
+            for event in events:
+                event.stack_id = stack.id
         except Exception:
             events = []
             messages.error(request, _(
@@ -95,6 +98,9 @@ def get_context_data(self, request):
             stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
             resources = api.heat.resources_list(self.request, stack_identifier)
             LOG.debug('got resources %s' % resources)
+            # The stack id is needed to generate the resource URL.
+            for r in resources:
+                r.stack_id = stack.id
         except Exception:
             resources = []
             messages.error(request, _(

@@ -51,8 +51,15 @@ horizon.instances = {
     $(this.get_network_element("")).each(function(){
       var $this = $(this);
       var $input = $this.children("input");
+      var name = $this.text().replace(/^\s+/,"")
+                             .replace(/&/g, '&')
+                             .replace(/</g, '&lt;')
+                             .replace(/>/g, '&gt;')
+                             .replace(/"/g, '&quot;')
+                             .replace(/'/g, '&#x27;')
+                             .replace(/\//g, '&#x2F;');
       var network_property = {
-        name:$this.text().replace(/^\s+/,""),
+        name:name,
         id:$input.attr("id"),
         value:$input.attr("value")
       };

@@ -692,7 +692,9 @@ def value(self):
                                   self.column.link_attrs.items()])
             # Escape the data inside while allowing our HTML to render
             data = mark_safe('<a href="%s" %s>%s</a>' % (
-                self.url, link_attrs, escape(unicode(data))))
+                             (escape(self.url),
+                              link_attrs,
+                              escape(unicode(data)))))
         return data
 
     @property

@@ -159,7 +159,8 @@ def get_link_url(self, datum=None):
 class UsersTable(tables.DataTable):
     name = tables.Column('name', verbose_name=_('User Name'))
     email = tables.Column('email', verbose_name=_('Email'),
-                          filters=[defaultfilters.urlize])
+                          filters=[defaultfilters.escape,
+                                   defaultfilters.urlize])
     id = tables.Column('id', verbose_name=_('User ID'))
     enabled = tables.Column('enabled', verbose_name=_('Enabled'),
                             status=True,

@@ -131,7 +131,9 @@ class UsersTable(tables.DataTable):
     email = tables.Column('email', verbose_name=_('Email'),
                           filters=(lambda v: defaultfilters
                                    .default_if_none(v, ""),
-                                   defaultfilters.urlize))
+                                   defaultfilters.escape,
+                                   defaultfilters.urlize)
+                          )
     # Default tenant is not returned from Keystone currently.
     #default_tenant = tables.Column('default_tenant',
     #                               verbose_name=_('Default Project'))

@@ -115,11 +115,16 @@ class Meta:
                        ChangeStackTemplate)
 
 
+def get_resource_url(obj):
+    return urlresolvers.reverse('horizon:project:stacks:resource',
+                                args=(obj.stack_id, obj.resource_name))
+
+
 class EventsTable(tables.DataTable):
 
     logical_resource = tables.Column('resource_name',
                                      verbose_name=_("Stack Resource"),
-                                     link=lambda d: d.resource_name,)
+                                     link=get_resource_url)
     physical_resource = tables.Column('physical_resource_id',
                                       verbose_name=_("Resource"),
                                       link=mappings.resource_to_url)
@@ -164,7 +169,7 @@ class ResourcesTable(tables.DataTable):
 
     logical_resource = tables.Column('resource_name',
                                      verbose_name=_("Stack Resource"),
-                                     link=lambda d: d.resource_name)
+                                     link=get_resource_url)
     physical_resource = tables.Column('physical_resource_id',
                                      verbose_name=_("Resource"),
                                      link=mappings.resource_to_url)

@@ -99,6 +99,9 @@ def get_context_data(self, request):
             stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
             events = api.heat.events_list(self.request, stack_identifier)
             LOG.debug('got events %s' % events)
+            # The stack id is needed to generate the resource URL.
+            for event in events:
+                event.stack_id = stack.id
         except Exception:
             events = []
             messages.error(request, _(
@@ -124,6 +127,9 @@ def get_context_data(self, request):
             stack_identifier = '%s/%s' % (stack.stack_name, stack.id)
             resources = api.heat.resources_list(self.request, stack_identifier)
             LOG.debug('got resources %s' % resources)
+            # The stack id is needed to generate the resource URL.
+            for r in resources:
+                r.stack_id = stack.id
         except Exception:
             resources = []
             messages.error(request, _(