Comment 8 for bug 1567673

Revision history for this message
Richard Jones (r1chardj0n3s) wrote : Re: Possible client side template injection in horizon

I believe the following code, added to the top of settings.py in Horizon, will blanket fix this issue.
 import django.utils.html

 def escape(text, existing=django.utils.html.escape):
    # replace our angular markup string with a different string
    # (just happens to be the Django comment string)
    return existing(text).replace('{$', '{%').replace('$}', '%}')

 django.utils.html.escape = escape

I have not done a thorough analysis of whether this is further exploitable, though I believe it is not. I am not sure whether it will damage any data in OpenStack (I don't know whether "{$" and "$}" are valid values of data anywhere in OpenStack).