Comment 23 for bug 1247675

I could not reproduce a XSS issue on the Network Topology panel. From the comment above, Dave Lyle was not able to either.

I thought perhaps in the original bug that someone created an instance on the Network Topology page that contained <script> tags and that those tags were then being executed on the Volumes page. If the fix was to sanitize the input, then that is the logical place to do this.

But the fix was to make sure that places that display the instance name, escape the string so that the browser does not interpret it but only displays it. I took a pass through to see if this happens in other places that we call marksafe. Those are the places changed in this fix.