Before we commit the error report metadata to the database do a rudimentary check on all fields that are passed to the graphs page to avoid any XSS happening.
Signed-off-by: Michael Wood <michael.g.w...@intel.com> --- Post/parser.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Post/parser.py b/Post/parser.py index fae9194..b180165 100644 --- a/Post/parser.py +++ b/Post/parser.py @@ -18,8 +18,21 @@ class Parser: def __init__(self, data): self.data = data + # returns true if the values contain '<' char + # Ignore the failures field (which is an array anyway) + def contains_tags (self, data): + for key,val in data.items(): + if key == 'failures': + continue + + if '<' in val: + return True + return False + def parse(self): jsondata = json.loads(self.data) + if self.contains_tags(jsondata) == True: + return MACHINE_NAME = str(jsondata['machine']) NATIVELSBSTRING = str(jsondata['nativelsb']) -- 1.9.1 -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto