Comment 25 for bug 1289033

Reviewed: https://review.openstack.org/86054
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=1b0106e2804a45e641433c4bd459e6bed85521c3
Submitter: Jenkins
Branch: milestone-proposed

commit 1b0106e2804a45e641433c4bd459e6bed85521c3
Author: CristianFiorentino <email address hidden>
Date: Mon Mar 10 17:36:31 2014 -0300

    Introduces escaping in Horizon/Orchestration

    1) Escape help_text a second time to avoid bootstrap tooltip XSS issue

    The "Description" parameter in a Heat template is used to populate
    a help_text tooltip in the dynamically generated Heat form. Bootstrap
    inserts this tooltip into the DOM using .html() which undoes any
    escaping we do in Django (it should be using .text()).

    This was fixed by forcing the help_text content to be escaped a second
    time. The issue itself is mitigated in bootstrap.js release 2.0.3
    (ours is currently 2.0.1).

    2) Properly escape untrusted Heat template 'outputs'

    The 'outputs' parameter in a Heat template was included in a Django
    template with HTML autoescaping turned off. Malicious HTML content
    could be included in a Heat template and would be rendered by Horizon
    when details about a created stack were displayed.

    This was fixed by not disabling autoescaping and explicitly escaping
    untrusted values in any strings that are later marked "safe" to render
    without further escaping.

    Change-Id: Icd9f9d9ca77068b12227d77469773a325c840001
    Closes-Bug: #1289033
    Co-Authored-By: Kieran Spear <email address hidden>