XSS in HTML report output
Bug #1612988 reported by
Travis McPeak
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bandit |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Undecided
|
Tim Kelsey |
Bug Description
The following Python code snippet will cause script execution when a HTML report is generated and viewed:
import subprocess
subprocess.
This is because the HTML formatter is failing to HTML escape the code snippets. We need to investigate the best standard library (or OpenStack condoned library) to HTML escape and then apply that to the issue text.
Changed in ossn: | |
assignee: | nobody → Tim Kelsey (tim-kelsey) |
status: | New → In Progress |
To post a comment you must log in.
Alright guys, what's the best way to HTML escape? We should roll a new release for this ASAP.