Hi,
Valid json can contain unescaped markup tags which will break the
javascript e.g. if you put your project name to "</script><h2>Hi mum<!--
or worse some javascript --></h2>" the project page will interpret that.
http://jsfiddle.net/uLpecL5o/
The escapejs filter will escape all the correct characters the resulting
string of the json can then be safely parsed by the browser.
If we want to use |safe we really need to be sure that data is safe,
which may mean that instead we sanitise it before storing it.
Oops yes too long working with jinja2 which is based on django got
confused there!
Michael
On 07/11/14 16:52, Damian, Alexandru wrote:
Hi,
Hi, this is a good point you raise here - there are some aspects that
need considering, though -
the data coming in this page (e.g. prj, builds, etc..) is already
coming as JSON, the conversion is done in the view. Here we mark the
value as not needing any further escape (through the safe filter)
because we know it's already a valid json string.
json is already valid javascript code, so we don't need to parse it
manually, the browser will interpret it as such.
btw, we're not using jinja2 templating engine, we use the built-in
django templating engine :)
Cheers,
Alex
On Thu, Nov 6, 2014 at 4:11 PM, Michael Wood <[email protected]
<mailto:[email protected]>> wrote:
When passing the data from the jinja2 template to javascript make sure
we escape and parse the JSON to avoid any invalid values being
interpreted.
Signed-off-by: Michael Wood <[email protected]
<mailto:[email protected]>>
---
bitbake/lib/toaster/toastergui/templates/project.html | 14
+++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/bitbake/lib/toaster/toastergui/templates/project.html
b/bitbake/lib/toaster/toastergui/templates/project.html
index 6a81283..00fb2b4 100644
--- a/bitbake/lib/toaster/toastergui/templates/project.html
+++ b/bitbake/lib/toaster/toastergui/templates/project.html
@@ -335,13 +335,13 @@ angular.element(document).ready(function() {
scope.urls.layers = "{% url 'layers' %}";
scope.urls.targets = "{% url 'targets' %}";
scope.urls.importlayer = "{% url 'importlayer'%}"
- scope.project = {{prj|safe}};
- scope.builds = {{builds|safe}};
- scope.layers = {{layers|safe}};
- scope.targets = {{targets|safe}};
- scope.frequenttargets = {{freqtargets|safe}};
- scope.machine = {{machine|safe}};
- scope.releases = {{releases|safe}};
+ scope.project = JSON.parse ("{{prj|escapejs}}");
+ scope.builds = JSON.parse ("{{builds|escapejs}}");
+ scope.layers = JSON.parse ("{{layers|escapejs}}");
+ scope.targets = JSON.parse ("{{targets|escapejs}}");
+ scope.frequenttargets = JSON.parse ("{{freqtargets|escapejs}}");
+ scope.machine = JSON.parse ("{{machine|escapejs}}");
+ scope.releases = JSON.parse ("{{releases|escapejs}}");
scope.zone1alerts = [];
scope.zone2alerts = [];
--
1.9.1
--
_______________________________________________
toaster mailing list
[email protected] <mailto:[email protected]>
https://lists.yoctoproject.org/listinfo/toaster
--
Alex Damian
Yocto Project
SSG / OTC
---------------------------------------------------------------------
Intel Corporation (UK) Limited
Registered No. 1134945 (England)
Registered Office: Pipers Way, Swindon SN3 1RJ
VAT No: 860 2173 47
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
--
_______________________________________________
toaster mailing list
[email protected]
https://lists.yoctoproject.org/listinfo/toaster
