The automatic HTML escaping does NOT allow you to assign values into properties in templates. The fix for this (and the rest of the latent XSS issues in this module) is to go through all of the templates, eliminating any unescaped assignment to properties.
Fixing this and related bugs is going to be a relatively large cleanup task.
It's probably worth auditing the rest of the Horizon templates for this kind of behavior, since clearly existing code reviewers didn't know to look for this pattern of abuse.
Yes, the templates in this entire module appear to be improperly written.
As explained at the top of the Django Security docs: /docs.djangopro ject.com/ en/dev/ topics/ security/
https:/
The automatic HTML escaping does NOT allow you to assign values into properties in templates. The fix for this (and the rest of the latent XSS issues in this module) is to go through all of the templates, eliminating any unescaped assignment to properties.
Furthermore, the url construction needs to be refactored to properly use Django's url reversing mechanisms, preferably inside the templates. As it currently stands, things like this: /github. com/openstack/ horizon/ blob/master/ openstack_ dashboard/ dashboards/ project/ stacks/ templates/ stacks/ _stack_ info.html# L14
https:/
are likely to be vulnerabilities. I'll take a look through the templates and catalog a detailed list of things that need to be cleaned up.
Fixing this and related bugs is going to be a relatively large cleanup task.
It's probably worth auditing the rest of the Horizon templates for this kind of behavior, since clearly existing code reviewers didn't know to look for this pattern of abuse.