Comment 24 for bug 1289033

Reviewed: https://review.openstack.org/86059
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=198dba6a2d92b8157b86285f5b0cb000e64ae7ac
Submitter: Jenkins
Branch: master

commit 198dba6a2d92b8157b86285f5b0cb000e64ae7ac
Author: CristianFiorentino <email address hidden>
Date: Mon Mar 10 17:36:31 2014 -0300

    Introduces escaping in Horizon/Orchestration

    1) Escape help_text a second time to avoid bootstrap tooltip XSS issue

    The "Description" parameter in a Heat template is used to populate
    a help_text tooltip in the dynamically generated Heat form. Bootstrap
    inserts this tooltip into the DOM using .html() which undoes any
    escaping we do in Django (it should be using .text()).

    This was fixed by forcing the help_text content to be escaped a second
    time. The issue itself is mitigated in bootstrap.js release 2.0.3
    (ours is currently 2.0.1).

    2) Properly escape untrusted Heat template 'outputs'

    The 'outputs' parameter in a Heat template was included in a Django
    template with HTML autoescaping turned off. Malicious HTML content
    could be included in a Heat template and would be rendered by Horizon
    when details about a created stack were displayed.

    This was fixed by not disabling autoescaping and explicitly escaping
    untrusted values in any strings that are later marked "safe" to render
    without further escaping.

    Change-Id: Icd9f9d9ca77068b12227d77469773a325c840001
    Closes-Bug: #1289033
    Co-Authored-By: Kieran Spear <email address hidden>