From d539a6715cbc52d7609d364ba8bcb85cd193d5a7 Mon Sep 17 00:00:00 2001
From: John Mitchell <jlmitch5@ncsu.edu>
Date: Wed, 29 Jun 2016 14:40:53 -0400
Subject: [PATCH 1/4] fix xss vulnerability when deleting labels

---
 .../src/job-templates/labels/labelsList.directive.js       | 5 +++--
 awx/ui/client/src/shared/Utilities.js                      | 7 +++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/awx/ui/client/src/job-templates/labels/labelsList.directive.js b/awx/ui/client/src/job-templates/labels/labelsList.directive.js
index 00c8e6b06a..ab97b2f5f2 100644
--- a/awx/ui/client/src/job-templates/labels/labelsList.directive.js
+++ b/awx/ui/client/src/job-templates/labels/labelsList.directive.js
@@ -7,7 +7,8 @@ export default
         'ProcessErrors',
         'Prompt',
         '$q',
-        function(templateUrl, Wait, Rest, GetBasePath, ProcessErrors, Prompt, $q) {
+        '$filter',
+        function(templateUrl, Wait, Rest, GetBasePath, ProcessErrors, Prompt, $q, $filter) {
             return {
                 restrict: 'E',
                 scope: false,
@@ -65,7 +66,7 @@ export default
 
                         Prompt({
                             hdr: 'Remove Label from ' + templateName,
-                            body: '<div class="Prompt-bodyQuery">Confirm  the removal of the <span class="Prompt-emphasis">' + labelName + '</span> label.</div>',
+                            body: '<div class="Prompt-bodyQuery">Confirm  the removal of the <span class="Prompt-emphasis">' + $filter('sanitize')(labelName) + '</span> label.</div>',
                             action: action,
                             actionText: 'REMOVE'
                         });
diff --git a/awx/ui/client/src/shared/Utilities.js b/awx/ui/client/src/shared/Utilities.js
index e1d1a5983a..f7ccaf0be4 100644
--- a/awx/ui/client/src/shared/Utilities.js
+++ b/awx/ui/client/src/shared/Utilities.js
@@ -608,8 +608,8 @@ angular.module('Utilities', ['RestServices', 'Utilities', 'sanitizeFilter'])
  * ]
  * ```
  */
-.factory('CreateSelect2', [
-    function () {
+.factory('CreateSelect2', ['$filter',
+    function ($filter) {
         return function (params) {
 
             var element = params.element,
@@ -641,6 +641,9 @@ angular.module('Utilities', ['RestServices', 'Utilities', 'sanitizeFilter'])
                     containerCssClass: 'Form-dropDown',
                     width: '100%',
                     minimumResultsForSearch: Infinity,
+                    escapeMarkup: function(m) {
+                        return $filter('sanitize')(m);
+                    }
                 };
 
                 // multiple-choice directive calls select2 but needs to do so without this custom adapter

From f39c624b8e35299de03944a86e6f188127673d5d Mon Sep 17 00:00:00 2001
From: John Mitchell <jlmitch5@ncsu.edu>
Date: Wed, 29 Jun 2016 14:45:17 -0400
Subject: [PATCH 2/4] get view more to show up after delete

---
 awx/ui/client/src/job-templates/labels/labelsList.directive.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/awx/ui/client/src/job-templates/labels/labelsList.directive.js b/awx/ui/client/src/job-templates/labels/labelsList.directive.js
index ab97b2f5f2..7e48f37dd9 100644
--- a/awx/ui/client/src/job-templates/labels/labelsList.directive.js
+++ b/awx/ui/client/src/job-templates/labels/labelsList.directive.js
@@ -50,6 +50,7 @@ export default
                     scope.deleteLabel = function(templateId, templateName, labelId, labelName) {
                         var action = function () {
                             $('#prompt-modal').modal('hide');
+                            scope.seeMoreInactive = true;
                             Wait('start');
                             var url = GetBasePath("job_templates") + templateId + "/labels/";
                             Rest.setUrl(url);

From 9c42ffa3f61f9d516710c05f9ca81549a5a246e8 Mon Sep 17 00:00:00 2001
From: John Mitchell <jlmitch5@ncsu.edu>
Date: Wed, 29 Jun 2016 14:46:56 -0400
Subject: [PATCH 3/4] make wait stop happen after list refresh is called

---
 awx/ui/client/src/job-templates/labels/labelsList.directive.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/awx/ui/client/src/job-templates/labels/labelsList.directive.js b/awx/ui/client/src/job-templates/labels/labelsList.directive.js
index 7e48f37dd9..d9ef63b237 100644
--- a/awx/ui/client/src/job-templates/labels/labelsList.directive.js
+++ b/awx/ui/client/src/job-templates/labels/labelsList.directive.js
@@ -56,10 +56,11 @@ export default
                             Rest.setUrl(url);
                             Rest.post({"disassociate": true, "id": labelId})
                                 .success(function () {
-                                    Wait('stop');
                                     scope.search("job_template");
+                                    Wait('stop');
                                 })
                                 .error(function (data, status) {
+                                    Wait('stop');
                                     ProcessErrors(scope, data, status, null, { hdr: 'Error!',
                                         msg: 'Could not disacssociate label from JT.  Call to ' + url + ' failed. DELETE returned status: ' + status });
                                 });

From 9b7c30d383e9016d206c86e1280fa043bb6a3d14 Mon Sep 17 00:00:00 2001
From: John Mitchell <jlmitch5@ncsu.edu>
Date: Wed, 29 Jun 2016 14:50:09 -0400
Subject: [PATCH 4/4] fix long label name from going outside of delete prompt
 bounds

---
 awx/ui/client/src/shared/prompt/prompt.less | 1 +
 1 file changed, 1 insertion(+)

diff --git a/awx/ui/client/src/shared/prompt/prompt.less b/awx/ui/client/src/shared/prompt/prompt.less
index 5c491b64e3..b4c1237c50 100644
--- a/awx/ui/client/src/shared/prompt/prompt.less
+++ b/awx/ui/client/src/shared/prompt/prompt.less
@@ -3,6 +3,7 @@
 .Prompt-bodyQuery {
     margin-bottom: 20px;
     color: @default-interface-txt;
+    word-break: break-word;
 }
 
 .Prompt-bodyTarget {