Comment 4 for bug 1308727
Revision history for this message
| Paul McMillan (paul-mcmillan) wrote Re: XSS in Horizon Heat template - resource name | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Yes, the templates in this entire module appear to be improperly written.
As explained at the top of the Django Security docs:
https:/
The automatic HTML escaping does NOT allow you to assign values into properties in templates. The fix for this (and the rest of the latent XSS issues in this module) is to go through all of the templates, eliminating any unescaped assignment to properties.
Furthermore, the url construction needs to be refactored to properly use Django's url reversing mechanisms, preferably inside the templates. As it currently stands, things like this:
https:/
are likely to be vulnerabilities. I'll take a look through the templates and catalog a detailed list of things that need to be cleaned up.
Fixing this and related bugs is going to be a relatively large cleanup task.
It's probably worth auditing the rest of the Horizon templates for this kind of behavior, since clearly existing code reviewers didn't know to look for this pattern of abuse.