From 17bada6a62361701730e1908283c0a9833536de5 Mon Sep 17 00:00:00 2001
From: Jessica Wang <jessica@cloud.com>
Date: Wed, 14 Mar 2012 16:44:21 -0700
Subject: [PATCH] cloudstack 3.0 UI - XSS - detailView in Edit mode - fix it to
 show original value instead of HTML-encoding value.

---
 ui/scripts/ui/utils.js              | 17 +++++++++++++++--
 ui/scripts/ui/widgets/detailView.js |  2 +-
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/ui/scripts/ui/utils.js b/ui/scripts/ui/utils.js
index a1662a021ce..6166ab08c4a 100644
--- a/ui/scripts/ui/utils.js
+++ b/ui/scripts/ui/utils.js
@@ -56,7 +56,7 @@
   };
 
   /**
-   * Sanitize user input -- shortcut _s
+   * Sanitize user input (HTML Encoding) -- shortcut _s
    * 
    * Strip unwanted characters from user-based input
    */
@@ -76,7 +76,7 @@
 	  else if(typeof(value) == null || typeof(value) == "undefined") {		 
 			return '';
 		}
-        
+           
     var sanitized = value
           .replace(/&/g, "&amp;")
           .replace(/</g, "&lt;")
@@ -84,4 +84,17 @@
 
     return sanitized;
   };
+	
+	/**
+   * Reverse sanitization (HTML Decoding)   
+   */
+  cloudStack.sanitizeReverse = function(value) {	  
+    var reversedValue = value
+          .replace(/&amp;/g, "&")
+          .replace(/&lt;/g, "<")
+          .replace(/&gt;/g, ">");
+
+    return reversedValue;
+  };
+	
 })(jQuery, cloudStack);
diff --git a/ui/scripts/ui/widgets/detailView.js b/ui/scripts/ui/widgets/detailView.js
index 046893b91be..375a66fde9f 100644
--- a/ui/scripts/ui/widgets/detailView.js
+++ b/ui/scripts/ui/widgets/detailView.js
@@ -391,7 +391,7 @@
         // Turn into form field
         var selectData = $value.data('detail-view-editable-select');
         var isBoolean = $value.data('detail-view-editable-boolean');
-        var data = !isBoolean ? $value.html() : $value.data('detail-view-boolean-value');
+        var data = !isBoolean ? cloudStack.sanitizeReverse($value.html()) : $value.data('detail-view-boolean-value');
 
         $value.html('');