Module: check_mk
Branch: master
Commit: c68f35e286eee9586a4b89215f0422117a3fde11
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=c68f35e286eee9…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Oct 24 12:48:46 2017 +0200
Fixed additional XSS issues when displaying aliases of objects
Change-Id: I431f17207b7fda0a34e019a5cc25c411e87d7ed6
---
.werks/5399 | 2 +-
web/plugins/views/painters.py | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/.werks/5399 b/.werks/5399
index 8c48462..6ffa4b9 100644
--- a/.werks/5399
+++ b/.werks/5399
@@ -1,4 +1,4 @@
-Title: Fixed multiple stored XSS injections in WATO dialogs
+Title: Fixed multiple stored XSS injections in GUI dialogs
Level: 1
Component: wato
Class: security
diff --git a/web/plugins/views/painters.py b/web/plugins/views/painters.py
index 611988f..4dea4aa 100644
--- a/web/plugins/views/painters.py
+++ b/web/plugins/views/painters.py
@@ -529,7 +529,7 @@ multisite_painters["sitename_plain"] = {
multisite_painters["sitealias"] = {
"title" : _("Site alias"),
"columns" : ["site"],
- "paint" : lambda row: (None,
config.site(row["site"])["alias"]),
+ "paint" : lambda row: (None,
html.attrencode(config.site(row["site"])["alias"])),
}
@@ -1513,7 +1513,7 @@ multisite_painters["alias"] = {
"title" : _("Host alias"),
"short" : _("Alias"),
"columns" : ["host_alias"],
- "paint" : lambda row: ("", row["host_alias"]),
+ "paint" : lambda row: ("",
html.attrencode(row["host_alias"])),
}
multisite_painters["host_address"] = {
@@ -1947,7 +1947,7 @@ multisite_painters["hg_alias"] = {
"title" : _("Hostgroup alias"),
"short" : _("Alias"),
"columns" : ["hostgroup_alias"],
- "paint" : lambda row: (None, row["hostgroup_alias"]),
+ "paint" : lambda row: (None,
html.attrencode(row["hostgroup_alias"])),
}
# ____ _
@@ -2015,7 +2015,7 @@ multisite_painters["sg_alias"] = {
"title" : _("Servicegroup alias"),
"short" : _("Alias"),
"columns" : ["servicegroup_alias"],
- "paint" : lambda row: (None, row["servicegroup_alias"])
+ "paint" : lambda row: (None,
html.attrencode(row["servicegroup_alias"]))
}