From dee21fb114a2ece37982e47d7b304b92c109cdd6 Mon Sep 17 00:00:00 2001 From: Scott Baker Date: Fri, 23 Jan 2015 17:42:17 -0800 Subject: [PATCH] prevent script tags inside of error popup --- planetstack/core/xoslib/static/js/xoslib/xos-util.js | 11 +++++++++++ planetstack/core/xoslib/static/js/xoslib/xosHelper.js | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/planetstack/core/xoslib/static/js/xoslib/xos-util.js b/planetstack/core/xoslib/static/js/xoslib/xos-util.js index 04bd041..6f4db85 100644 --- a/planetstack/core/xoslib/static/js/xoslib/xos-util.js +++ b/planetstack/core/xoslib/static/js/xoslib/xos-util.js @@ -143,6 +143,17 @@ function make_same_width(containerSelector, itemSelector) { $(containerSelector).find(itemSelector).each( function(index) { $(this).width(maxWidth); }); } +function strip_scripts(s) { + var div = document.createElement('div'); + div.innerHTML = s; + var scripts = div.getElementsByTagName('script'); + var i = scripts.length; + while (i--) { + scripts[i].parentNode.removeChild(scripts[i]); + } + return div.innerHTML; + } + function parse_portlist(ports) { /* Support a list of ports in the format "protocol:port, protocol:port, ..." examples: diff --git a/planetstack/core/xoslib/static/js/xoslib/xosHelper.js b/planetstack/core/xoslib/static/js/xoslib/xosHelper.js index 7392843..384a7ed 100644 --- a/planetstack/core/xoslib/static/js/xoslib/xosHelper.js +++ b/planetstack/core/xoslib/static/js/xoslib/xosHelper.js @@ -150,7 +150,7 @@ XOSApplication = Marionette.Application.extend({ if (parsed_error) { $("#xos-error-dialog").html(templateFromId("#xos-error-response")(parsed_error)); } else { - $("#xos-error-dialog").html(templateFromId("#xos-error-rawresponse")({responseText: responseText})) + $("#xos-error-dialog").html(templateFromId("#xos-error-rawresponse")({responseText: strip_scripts(responseText)})) } $("#xos-error-dialog").dialog({ -- 2.43.0