[pve-devel] [PATCH pve-manager 2/2] htmlEncode some NetworkView values

[Dietmar Maurer]

Why do we need to encode things with well defined format like 'hwaddr' 
or 'ip' and 'gw'?
Also, can we restrict network names to avoid characters like '<' or '>'?

On 09/18/2015 12:41 PM, Wolfgang Bumiller wrote:
> ---
>   www/manager/lxc/Network.js | 27 +++++++++++++++++----------
>   1 file changed, 17 insertions(+), 10 deletions(-)
>
> diff --git a/www/manager/lxc/Network.js b/www/manager/lxc/Network.js
> index 7d152cc..32f31ee 100644
> --- a/www/manager/lxc/Network.js
> +++ b/www/manager/lxc/Network.js
> @@ -478,11 +478,13 @@ Ext.define('PVE.lxc.NetworkView', {
>   		},
>   		{
>   		    header: gettext('Name'),
> +		    renderer: 'htmlEncode',
>   		    width: 80,
>   		    dataIndex: 'name'
>   		},
>   		{
>   		    header: gettext('Bridge'),
> +		    renderer: 'htmlEncode',
>   		    width: 80,
>   		    dataIndex: 'bridge'
>   		},
> @@ -499,6 +501,7 @@ Ext.define('PVE.lxc.NetworkView', {
>   		},
>   		{
>   		    header: gettext('MAC address'),
> +		    renderer: 'htmlEncode',
>   		    width: 110,
>   		    dataIndex: 'hwaddr'
>   		},
> @@ -507,12 +510,14 @@ Ext.define('PVE.lxc.NetworkView', {
>   		    width: 150,
>   		    dataIndex: 'ip',
>   		    renderer: function(value, metaData, rec) {
> -			if (rec.data.ip && rec.data.ip6) {
> -			    return rec.data.ip + "<br>" + rec.data.ip6;
> -			} else if (rec.data.ip6) {
> -			    return rec.data.ip6;
> +			var ip  = rec.data.ip  ? Ext.util.Format.htmlEncode(rec.data.ip ) : null;
> +			var ip6 = rec.data.ip6 ? Ext.util.Format.htmlEncode(rec.data.ip6) : null;
> +			if (ip && ip6) {
> +			    return ip + "<br>" + ip6;
> +			} else if (ip6) {
> +			    return ip6;
>   			} else {
> -			    return rec.data.ip;
> +			    return ip;
>   			}
>   		    }
>   		},
> @@ -521,12 +526,14 @@ Ext.define('PVE.lxc.NetworkView', {
>   		    width: 150,
>   		    dataIndex: 'gw',
>   		    renderer: function(value, metaData, rec) {
> -			if (rec.data.gw && rec.data.gw6) {
> -			    return rec.data.gw + "<br>" + rec.data.gw6;
> -			} else if (rec.data.gw6) {
> -			    return rec.data.gw6;
> +			var gw  = rec.data.gw  ? Ext.util.Format.htmlEncode(rec.data.gw ) : null;
> +			var gw6 = rec.data.gw6 ? Ext.util.Format.htmlEncode(rec.data.gw6) : null;
> +			if (gw && gw6) {
> +			    return gw + "<br>" + gw6;
> +			} else if (gw6) {
> +			    return gw6;
>   			} else {
> -			    return rec.data.gw;
> +			    return gw;
>   			}
>   		    }
>   		}