From f7cf9e7e6caa05e5041b79afda75a2a4b10ec768 Mon Sep 17 00:00:00 2001
From: CristianFiorentino <cristian.fiorentino@intel.com>
Date: Mon, 10 Mar 2014 17:36:31 -0300
Subject: [PATCH] Introduces escaping in template field.help_text

No characters escaping was found in Horizon templates
for field.help_text in help-block.
This may lead to XSS escenarios, as the one identified in
Horizon/Orchestration, where scripts may be introduced
via the "Description" parameter fields in Heat templates.
This fix introduces a force_escape filter in
_form_fields.html given field.help_test does not
automatically perform escaping (autoescape and escape
filters were found not to work here).

Closes-Bug: #1289033
---
 horizon/templates/horizon/common/_form_fields.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/horizon/templates/horizon/common/_form_fields.html b/horizon/templates/horizon/common/_form_fields.html
index 1fbe846..5d1813b 100644
--- a/horizon/templates/horizon/common/_form_fields.html
+++ b/horizon/templates/horizon/common/_form_fields.html
@@ -19,7 +19,7 @@
         <span class="help-inline">{{ error }}</span>
       {% endfor %}
     {% endif %}
-    <span class="help-block">{{ field.help_text }}</span>
+    <span class="help-block">{% filter force_escape %} {{ field.help_text }} {% endfilter %} </span>
     <div class="input">
       {{ field }}
     </div>
-- 
1.8.3.2