OpenStack Dashboard (Horizon)

  1. Bug #1453074
  2. Comment #13

Comment 13 for bug 1453074

Revision history for this message
Lin Hua Cheng (lin-hua-cheng) wrote : Re: help_text parameter of fields is vulnerable to arbitrary html injection

Tristan: Icehouse is not affected, this is because the help_text is always escaped on HTML template.

Juno - assume that help text is always safe:
        <span class="help-icon" data-toggle="tooltip"
              data-placement="top" title="{{ field.help_text|safe }}">

Icehouse - always escape the text:
        <span class="help-block">{% filter force_escape %} {{ field.help_text }} {% endfilter %} </span>