bitbake: toastergui: fix XSS injection points in projects page

We close XSS injection points in Projects page.

* modify the json filter to properly escape HTML tags in strings
* enable $sanitize to automatically sanitize dangerous HTML in
user-supplied input
* clean dangerous characters in targets field, as that field contents
will be directly passed to a shell command

Based on the vulnerability discovered and the patch provided by Michael Wood.

(Bitbake rev: 23c440db9c076ca37e651bdbbdbefee54998e1dc)

Signed-off-by: Alexandru DAMIAN <alexandru.damian@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 5 insertions, 1 deletions

diff --git a/bitbake/lib/toaster/toastergui/templatetags/projecttags.py b/bitbake/lib/toaster/toastergui/templatetags/projecttags.py
index 4a97eb7ac4..99fd4cf287 100644
--- a/bitbake/lib/toaster/toastergui/templatetags/projecttags.py
+++ b/bitbake/lib/toaster/toastergui/templatetags/projecttags.py
@@ -25,6 +25,7 @@ from django import template
 from django.utils import timezone
 from django.template.defaultfilters import filesizeformat
 import json as JsonLib
+from django.utils.safestring import mark_safe
 
 register = template.Library()
 
@@ -49,7 +50,10 @@ def mapselect(value, argument):
 
 @register.filter(name = "json")
 def json(value):
-    return JsonLib.dumps(value)
+    # JSON spec says that "\/" is functionally identical to "/" to allow for HTML-tag embedding in JSON strings
+    # unfortunately, I can't find any option in the json module to turn on forward-slash escaping, so we do
+    # it manually here
+    return mark_safe(JsonLib.dumps(value, ensure_ascii=False).replace('</', '<\\/'))
 
 @register.assignment_tag
 def query(qs, **kwargs):