From 41f9a3aa2491d5b2bc6b4678c5bdda51039dec46 Mon Sep 17 00:00:00 2001
From: Jorge Lobo <47326048+jloboescalona2@users.noreply.github.com>
Date: Mon, 10 Feb 2020 17:06:47 +0100
Subject: [PATCH] M #-: sanitize tags in handlebars forms (#4172)

Signed-off-by: Jorge Lobo <jlobo@opennebula.systems>
(cherry picked from commit dc5bcaa95a94f20fa2df08616e0b049571a4ec3a)
---
 .../public/app/tabs/users-tab/panels/info-common.js       | 6 +++---
 src/sunstone/public/app/templates/helpers/valOrDefault.js | 3 ++-
 src/sunstone/public/app/utils/template-utils.js           | 8 ++++++++
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/sunstone/public/app/tabs/users-tab/panels/info-common.js b/src/sunstone/public/app/tabs/users-tab/panels/info-common.js
index 90042ad343..4b56552f73 100644
--- a/src/sunstone/public/app/tabs/users-tab/panels/info-common.js
+++ b/src/sunstone/public/app/tabs/users-tab/panels/info-common.js
@@ -77,14 +77,14 @@ define(function(require) {
     var templateTableHTML = TemplateTable.html(strippedTemplate, RESOURCE,
                                               Locale.tr("Attributes"));
     //====
-
-    return TemplateInfo({
+    render =  TemplateInfo({
       "element": this.element,
-      "sunstone_template": this.element.TEMPLATE.SUNSTONE||{},
+      "sunstone_template": this.element.TEMPLATE.SUNSTONE || {},
       "templateTableHTML": templateTableHTML,
       "tabId": this.tabId,
       "userCreationHTML": this.userCreation.html()
     });
+    return render;
   }
 
   function _setup(context) {
diff --git a/src/sunstone/public/app/templates/helpers/valOrDefault.js b/src/sunstone/public/app/templates/helpers/valOrDefault.js
index 04e1e886bd..3db375cc2a 100644
--- a/src/sunstone/public/app/templates/helpers/valOrDefault.js
+++ b/src/sunstone/public/app/templates/helpers/valOrDefault.js
@@ -17,6 +17,7 @@
 define(function(require) {
   var Handlebars = require('hbs/handlebars');
   var Locale = require('utils/locale');
+  var templateUtils = require("utils/template-utils");
 
   var valOrDefault = function(value, defaultValue, options) {
     var out;
@@ -24,7 +25,7 @@ define(function(require) {
     if (value == undefined || ($.isPlainObject(value) && $.isEmptyObject(value))){
         out = defaultValue;
     } else {
-        out = value;
+        out = templateUtils.removeHTMLTags(value);
     }
 
     return new Handlebars.SafeString(out);
diff --git a/src/sunstone/public/app/utils/template-utils.js b/src/sunstone/public/app/utils/template-utils.js
index 949d89f8c0..5685939dd9 100644
--- a/src/sunstone/public/app/utils/template-utils.js
+++ b/src/sunstone/public/app/utils/template-utils.js
@@ -171,6 +171,14 @@ define(function(require) {
     return template_json;
   }
 
+  function _removeHTMLTags(string){
+    var rtn = string;
+    if(rtn){
+      rtn = string.replace(/<[^0-9\s=>]+>/g, '');
+    }
+    return rtn;
+  }
+
   return {
     "stringToTemplate": _convert_string_to_template,
     "templateToString": _convert_template_to_string,