1) Escape help_text a second time to avoid bootstrap tooltip XSS issue
The "Description" parameter in a Heat template is used to populate
a help_text tooltip in the dynamically generated Heat form. Bootstrap
inserts this tooltip into the DOM using .html() which undoes any
escaping we do in Django (it should be using .text()).
This was fixed by forcing the help_text content to be escaped a second
time. The issue itself is mitigated in bootstrap.js release 2.0.3
(ours is currently 2.0.1).
The 'outputs' parameter in a Heat template was included in a Django
template with HTML autoescaping turned off. Malicious HTML content
could be included in a Heat template and would be rendered by Horizon
when details about a created stack were displayed.
This was fixed by not disabling autoescaping and explicitly escaping
untrusted values in any strings that are later marked "safe" to render
without further escaping.
Reviewed: https:/ /review. openstack. org/86059 /git.openstack. org/cgit/ openstack/ horizon/ commit/ ?id=198dba6a2d9 2b8157b86285f5b 0cb000e64ae7ac
Committed: https:/
Submitter: Jenkins
Branch: master
commit 198dba6a2d92b81 57b86285f5b0cb0 00e64ae7ac
Author: CristianFiorentino <email address hidden>
Date: Mon Mar 10 17:36:31 2014 -0300
Introduces escaping in Horizon/ Orchestration
1) Escape help_text a second time to avoid bootstrap tooltip XSS issue
The "Description" parameter in a Heat template is used to populate
a help_text tooltip in the dynamically generated Heat form. Bootstrap
inserts this tooltip into the DOM using .html() which undoes any
escaping we do in Django (it should be using .text()).
This was fixed by forcing the help_text content to be escaped a second
time. The issue itself is mitigated in bootstrap.js release 2.0.3
(ours is currently 2.0.1).
2) Properly escape untrusted Heat template 'outputs'
The 'outputs' parameter in a Heat template was included in a Django
template with HTML autoescaping turned off. Malicious HTML content
could be included in a Heat template and would be rendered by Horizon
when details about a created stack were displayed.
This was fixed by not disabling autoescaping and explicitly escaping
untrusted values in any strings that are later marked "safe" to render
without further escaping.
Change-Id: Icd9f9d9ca77068 b12227d77469773 a325c840001
Closes-Bug: #1289033
Co-Authored-By: Kieran Spear <email address hidden>