From bbb5791b659739975e38fe578fb1893334ee3c37 Mon Sep 17 00:00:00 2001 From: CristianFiorentino Date: Mon, 10 Mar 2014 17:36:31 -0300 Subject: [PATCH] Introduces escaping in Horizon/Orchestration No proper characters escaping were found in Horizon templates for field.help_text in help-block and in "outputs row-fluid detail". These cases may lead to XSS escenarios, as the ones identified in Horizon/Orchestration where scripts may be introduced via the "Description" parameter fields, or via the "outputs value" in Heat templates. This fix introduces a force_escape filter in _form_fields.html given field.help_test does not automatically perform escaping. Also removes "autoescape off" from "outputs row-fluid detail" in _details_overview. Closes-Bug: #1289033 --- horizon/templates/horizon/common/_form_fields.html | 2 +- .../dashboards/project/stacks/templates/stacks/_detail_overview.html | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/horizon/templates/horizon/common/_form_fields.html b/horizon/templates/horizon/common/_form_fields.html index 1fbe846..5d1813b 100644 --- a/horizon/templates/horizon/common/_form_fields.html +++ b/horizon/templates/horizon/common/_form_fields.html @@ -19,7 +19,7 @@ {{ error }} {% endfor %} {% endif %} - {{ field.help_text }} + {% filter force_escape %} {{ field.help_text }} {% endfilter %}
{{ field }}
diff --git a/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html b/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html index f4756e0..33fe783 100644 --- a/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html +++ b/openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html @@ -36,9 +36,8 @@
{{ output.output_key }}
{{ output.description }}
- {% autoescape off %} {{ output.output_value|stack_output }} - {% endautoescape %}
+ {% endfor %} -- 1.8.3.2