Comment 9 for bug 1308727

I'm not familiar enough with the codebase to conclusively say that the second two instances don't pull the UUID or any part of physical resource url from a user-provided value. We've had problems in the past where arbitrary unicode was allowed in things like project or usernames, but then caused problems in urls like these.

Additionally, it's not uncommon throughout openstack to generate a fully qualified url from the current http request host, which can result in various kinds of stored XSS. See, for example, this similar vulnerability: https://www.djangoproject.com/weblog/2013/feb/19/security/#s-issue-host-header-poisoning