Thanks Cristian. The patch fixes the issue for me too. I would really like to understand *why* this help_text variable isn't autoescaped in the original template though. I haven't been able to answer that question.
BUT in reviewing this I've discovered another related issue that we'll need to fix at the same time:
openstack_dashboard/dashboards/project/stacks/templates/stacks/_detail_overview.html uses {% autoescape off %}
This makes Horizon vulnerable to script data inside the "outputs" section of a Heat template:
outputs:
instance_ip:
description: The IP address of the deployed instance
value: "<script>alert('XSS!!!')</script>"
After a stack is created successfully, clicking through to the detail of that particular stack will run the script.
Thanks Cristian. The patch fixes the issue for me too. I would really like to understand *why* this help_text variable isn't autoescaped in the original template though. I haven't been able to answer that question.
BUT in reviewing this I've discovered another related issue that we'll need to fix at the same time:
openstack_ dashboard/ dashboards/ project/ stacks/ templates/ stacks/ _detail_ overview. html uses {% autoescape off %}
This makes Horizon vulnerable to script data inside the "outputs" section of a Heat template:
outputs: alert(' XSS!!!' )</script> "
instance_ip:
description: The IP address of the deployed instance
value: "<script>
After a stack is created successfully, clicking through to the detail of that particular stack will run the script.