Comment 12 for bug 1289033

Thanks Cristian. The patch fixes the issue for me too. I would really like to understand *why* this help_text variable isn't autoescaped in the original template though. I haven't been able to answer that question.

BUT in reviewing this I've discovered another related issue that we'll need to fix at the same time:

openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html uses {% autoescape off %}

This makes Horizon vulnerable to script data inside the "outputs" section of a Heat template:

outputs:
  instance_ip:
    description: The IP address of the deployed instance
    value: "<script>alert('XSS!!!')</script>"

After a stack is created successfully, clicking through to the detail of that particular stack will run the script.